[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[POC] Giving Subversion more control ove SSPI credentials [was Re: On backporting r21531 to 1.4.x.]

From: Vladimir Berezniker <vmpn_at_hitechman.com>
Date: 2006-12-03 20:32:07 CET

Attached please find a proof of concept hacks to neon and subversion, to
illustrate a way of giving subversion more control over SSPI credential
decisions. I will work on cleaning this up in the following iterations.

What does this do

   * Make neon callback subversion asking for username and passwords for
SSPI, like basic auth already does.
   * Recognize special "<>" username and password as meaning get default
credentials.
   * Tell subversion which authentication mechanism the callback is for.
   * Turned off https check for negotiate, used to allow spying on http
traffic.
   * Turned off the check that was there prevent retrying default SSPI
credentials if one sucessfull attempt was already made. Because this
breaks in the situation where default credentials are valid, but server
does not accept them. Now the code leaves it up to subversion auth
callback to decide when it does not want to try anymore.

What is not yet implemented

   * Ability to suppress use of default credentials. This is necessary
when default credentials have access to the repository, but one want to
access it with different ones. This will partially address the issue
of the Guest account.

   * This patch does not fix the credentials expiring during long running
operations.

What was tested

   * Use of NTLM on a single XP box against mod_auth_sspi.

Notes

   There seems to be a bug in mod_auth_sspi that if provided with invalid
token it no longer issues challenges. E.g. supply wrong username and
password combination when using NTLM, you will get back a 401 but
without NTLM challenge.

The reason for the patch being is in such raw state, is the very limited
amount of time that I have to spend working on it.

Regards,

Vladimir

> On 10/12/06, Vladimir Berezniker <vmpn@hitechman.com> wrote:
>> FYI, Resending this as original did not seem to reach the list:
>>
>> Hello again,
>>
>> Please see my earlier reply (I only get digest of the mailing list).
>>
>> To clarify the question regarding specifying explicit user name/password
>> for SSPI. Yes, you can pass those in to get credential other than
>> default
>> ones. At the moment neon just does not have the code/API to do so. A
>> callback like one for basic auth, but with additional parameter to tell
>> client which auth type is being promted for, so that it can tell is SSPI
>> or BASIC is attempted. If client tells to cancel auth neon will move on
>> to next method.
>>
>> If If client returns null user name default credentials are used.
>> Otherwise specified use name and password are used. Let me know if I am
>> not clear and I will write some examples.
>>
>> One more point, it seems that there might be value in adding code to log
>> the name of the user corresponding to default credentials.
>>
>> Regards,
>>
>> Vladimir
>
>
> Does it work with all Negotiate auth protocols such as Samay's
> GSSAPI/Kerberos setup? If so, would you post some examples or better
> yet, post a patch for neon to neon's list to expose this option so
> that Subversion could use it at some point? Until it is in neon's
> API, there is not much we can do.
>
> DJ
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Sun Dec 3 20:32:33 2006

This is an archived mail posted to the Subversion Dev mailing list.