[aaack. Gotta remember to use "reply to all..." Sorry, Max.]
Yes. That acronym finds its way into both the "magic" SQL Server
authentication and the existing Subversion-apache authentication.
In SQL Server, my connect string for programmatic access includes the
phrase "Integrated Security=SSPI;" in place of the more traditional
"UID=myname;PWD=mysecret;". When using Subversion with Apache, the
module that does Windows Domain Authentication is called mod_auth_sspi.
So, there does appear to be some degree of commonality between the two
authentication methods. That's one reason I strongly suspect there's
more we can do in Subversion. I just wish I knew more about how it
works and had a plan how we could make Subversion authenticate more like
SQL Query Analyzer does.
Steve Dwire
-----Original Message-----
From: Max Bowsher [mailto:maxb@ukf.net]
Sent: Thursday, August 26, 2004 1:13 PM
To: Steve Dwire; dev@subversion.tigris.org
Subject: Re: "Windows Authentication" Was: "Credentials Caching -
Security Guy Not Happy" from users list
Steve Dwire wrote:
> [cross-posting to dev]
>
> OK... I'm about to expose my ignorance and Windows-centric
perspective
> here...
>
> With SQL Server and the Query Analyzer client, I can log on using
> "Windows Authentication", and the server somehow magically accepts the
> credentials I used to log in to the system. I don't have to re-type my
> domain logon and password, and it's not cached anywhere. IIS and
> Internet Explorer have some means of exchanging those credentials as
> well - if everything's configured "properly."
>
> At this point, all I know is that it's possible for a server process
to
> accept my existing windows domain authentication even when I'm on a
> different machine. I have no idea how that handshake works. I'm
> thinking that if we could get Subversion and Apache to work the same
> way, we would resolve the security problem with cleartext passwords
and
> make life happier for most Windows domain users (and admins).
>
> Can someone a) point me to a document explaining (at a high level) how
> those existing client/server handshakes work, b) enumerate what would
> have to be added to the SVN (or TortoiseSVN) client software and
apache
> mod_auth_??? to support this kind of seamless authentication mode,
> and/or c) explain why that concept just plain won't work between svn
and
> Apache?
IIRC, the acronym "SSPI" has something to do with this. That is the
entire
depth of my knowledge on the subject, though.
Max.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Aug 26 20:26:58 2004