[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: On backporting r21531 to 1.4.x.

From: Vladimir Berezniker <vmpn_at_hitechman.com>
Date: 2006-10-12 16:14:40 CEST

FYI, Resending this as original did not seem to reach the list:

Hello again,

Please see my earlier reply (I only get digest of the mailing list).

To clarify the question regarding specifying explicit user name/password
for SSPI. Yes, you can pass those in to get credential other than default
ones. At the moment neon just does not have the code/API to do so. A
callback like one for basic auth, but with additional parameter to tell
client which auth type is being promted for, so that it can tell is SSPI
or BASIC is attempted. If client tells to cancel auth neon will move on
to next method.

If If client returns null user name default credentials are used.
Otherwise specified use name and password are used. Let me know if I am
not clear and I will write some examples.

One more point, it seems that there might be value in adding code to log
the name of the user corresponding to default credentials.

Regards,

Vladimir

>
>
> On 10/9/06, Stefan Küng <tortoisesvn@gmail.com> wrote:
> [snip]
>> > If you have the username and password it is pretty easy (in Windows,
>> > anyway) to temporarily impersonate a user for SSPI auth.
>>
>> But then it's not SSPI authentication but basic authentication, isn't
>> it?
>>
>
>
> No, if LogonUser/Impersonate worked then it would be as if you were
> actually that user and should work with at least some SSPI scenarios.
> I've done it before with NTLM/Domain auth and it works fine, but Samay
> says it doesn't work in stricter Negotiate/Kerberos environments. I
> don't really know much about those setups.
>
> DJ
>
> ---------------------------------------------------------------------
>
> AFAIK, thats correct. e.g. if mod_auth_kerb is setup with
> "KrbMethodK5Passwd
> off and KrbMethodNegotiate on", and no impersonation is provided for
> unless
> Neon is extended to include its own Kerberos (kinit etc) functions to
> fetch
> KRB5 tkts for the UPN as provided in --username field and given password.
>
> If browse it with Firefox (with negotiate authentication disabled), user
> shall be greeted with "401: Authorization Required" page not a userID &
> password popup.
>
> regards
>
> Samay
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Oct 15 21:45:55 2006

This is an archived mail posted to the Subversion Dev mailing list.