directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael B Allen" <iop...@gmail.com>
Subject Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ...
Date Fri, 27 Jun 2008 16:51:59 GMT
On 6/27/08, Emmanuel Lecharny <elecharny@apache.org> wrote:
> Michael B Allen wrote:
>
> > Hi,
> >
> >
>  Hi,
>
> > I'm working on implementing Kerberos 5 and NTLMv2 for an open source
> > CIFS client. Being a Windows / Java solution it seems to me we're distant
> > cousins.
> >
> > I'm going to be doing classes for NTLM credentials and principals,
> > JAAS integration and utility classes, possibly some JNDI to do "site"
> > based SRV lookups (to set java.security.krb5.kdc - gotta love all that
> > LoginModule configuration BS), ... etc.
> >
> > Is everyone on-board with Java's Subject based security code? I'm not
> > yet convinced but so far I'm playing along.
> >
> >
>  We already have NTLM and Kerberos implemented :
> http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support

Hi Emmanuel,

But I can see it's just an empty "provider".

You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
include the target which is specifically designed to thwart such a
technique. That hack only works with NTLMv1.

To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
authentication using DCERPC (or possibly the krb5-digest technique
used by Heimdal). Also for the acceptor you will need to do SPNEGO
because clients will send those tokens so you have to deal with them
(Windows clients at least).

>  For Kerberos, we have some doc somewhere on the same place, but I don't
> have access to http right now, so you will have to dig the site by yourslef,
> or wait a few hours so I reach office ...
>
>
> > Do you guys have or want NTLMv2, Kerberos, SPNEGO, NTLMSSP, ...? If so,
> > I'm interested in hearing opinions about how to "properly" implement
> > such things to maximize cross-pollination.
> >
> >
>  We also have a SPNEGO codec in sandbox, but it needs to be leveraged.

Nice. You'll need that. Note that Java 1.6 supposedly has SPNEGO. But
based on past performance by Sun in this area, I would test it very
carefully.

> > Is anyone aware of other projects doing this sort of stuff?
> >
> > In general I'm interested in hearing about anything wrt the above that
> > has worked well for you (or what to watch out for). I've been doing C
> > for a while and I want to know where Java's at with this stuff.
> >
> >
>  I think there is room for improvement in the way we handle those kind of
> stuff. And I think we also need people to help us to improve these
> implementations. Is there a better way than collaborating ?

Well I was thinking we could share code although at this point it
doesn't look like I'm going to steal anything from you today :-)

I will try to separate things into reusable packages with minimal deps
but at the moment I'm only doing the initiator so I'm not sure how
much it will help you.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Mime
View raw message