directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ...
Date Wed, 02 Jul 2008 01:46:50 GMT
Hi all,

On Fri, Jun 27, 2008 at 1:29 PM, Emmanuel Lecharny <elecharny@apache.org>
wrote:

> Michael B Allen wrote:
>
>>  We already have NTLM and Kerberos implemented :
>>> http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support
>>>
>>>
>>
>> Hi Emmanuel,
>>
>> But I can see it's just an empty "provider".
>>
>> You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
>> include the target which is specifically designed to thwart such a
>> technique. That hack only works with NTLMv1.
>>
>> To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
>> authentication using DCERPC (or possibly the krb5-digest technique
>> used by Heimdal). Also for the acceptor you will need to do SPNEGO
>> because clients will send those tokens so you have to deal with them
>> (Windows clients at least).
>>
>>
> I would wait for Alex to reply, as he is the guy working on this part.
>

Yep yep Michael, this is for NTLMv1 using jCIFS - I have abstracted it out
with providers so if something other than jCIFS is available we can use
that.

Alex

Mime
View raw message