[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: "Windows Authentication" Was: "Credentials Caching - Security Guy Not Happy" from users list

From: James Chaldecott <james_at_swythan.co.uk>
Date: 2004-08-27 14:03:56 CEST

Steve Dwire wrote:
> [aaack. Gotta remember to use "reply to all..." Sorry, Max.]
>
> Yes. That acronym finds its way into both the "magic" SQL Server
> authentication and the existing Subversion-apache authentication.
>
> In SQL Server, my connect string for programmatic access includes the
> phrase "Integrated Security=SSPI;" in place of the more traditional
> "UID=myname;PWD=mysecret;". When using Subversion with Apache, the
> module that does Windows Domain Authentication is called mod_auth_sspi.
>
> So, there does appear to be some degree of commonality between the two
> authentication methods. That's one reason I strongly suspect there's
> more we can do in Subversion. I just wish I knew more about how it
> works and had a plan how we could make Subversion authenticate more like
> SQL Query Analyzer does.
>
> Steve Dwire

I had a little look at this a couple of months back, but never really
put enough effort in (We aren't actually using SVN here, so it was a
side project.). It would be kick-ass if it worked.

What you're looking seems to be variously known as either NTLM or SSPI
authentication (the former is the protocol the latter the win32 API).
Various open-source codebases support it on the client side e.g.
Mozilla[1] & libntlm[2].

On the client side, the authentication code would need to be added to
Neon[3], the library that SVN uses for WebDAV. I think the file to look
at is 'ne_auth.c'. It's unfortunately not what you'd call modular, but I
still think it shouldn't be that hard.

On the server side, I think mod_auth_sspi does everything you need, but
I can't be totally sure. The way to check would be to see if IE will
"automagically" authenticate itself to a directory secured with
mod_auth_sspi, I suppose.

Hope this helps,

James

[1] Mozilla has Windows only & cross-platform versions of NTLM Auth.

Win32 :
http://lxr.mozilla.org/aviarybranch/source/extensions/negotiateauth/nsNegotiateAuthSSPI.cpp

Cross-Platform :
http://lxr.mozilla.org/aviarybranch/source/security/manager/ssl/src/nsNTLMAuthModule.cpp

Called from here :
http://lxr.mozilla.org/aviarybranch/source/netwerk/protocol/http/src/nsHttpNTLMAuth.cpp

[2] http://josefsson.org/libntlm/

[3] http://www.webdav.org/neon/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Aug 27 18:11:04 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.