Windows future

Douglas E. Engert deengert at anl.gov
Fri Aug 13 10:01:36 EDT 2010 


On 8/12/2010 6:26 PM, Sam Hartman wrote:
> I assume you're generally familiar with SSPI.
>
> Today, SSPI provides you with a way to get GSS-API.  You need to either
> be part of a domain, be willing to store your password in a service
> called credman, or modify your application to explicitly pass the
> password into the SSPI calls.
>
> On the server, you need to either be part of a domain or explicitly pass
> a password into the acceptor for each application.
>
> There's nothing quite like krb5_rd_cred, krb5_mk_cred, krb5_mk_priv,
> krb5_rd_priv, krb5_mk_safe, or krb5_rd_safe.
> Support for multiple accounts is not as well developed as KFW.
> There is no API compatibility with MIT.
>
> There are a few things you can do with GSS-API that you cannot do with
> SSPI, mostly surrounding gap/out of order tokens.  If you use SSPI's
> facilities for handling sequencing, you cannot process missing tokens in
> a UDP protocol.
>
> That's my rough understanding of the current state.
>
> --Sam


As an example of using SSPI, the PuTTY ssh client (in their svn) has
support to use either the KfW GSS-API or SSPI. A number of other PuTTY
implementations also can use SSPI.

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
See the bottom of the page for SVN access.

   > Wed May 19 18:22:17 2010 UTC (2 months, 3 weeks ago) by simon
   > File size: 35668 byte(s)
   > Patch from Alejandro Sedeno, somewhat modified by me, which
   > reorganises the GSSAPI support so that it handles alternative
   > implementations of the GSS-API. In particular, this means PuTTY can
   > now talk to MIT Kerberos for Windows instead of being limited to
   > SSPI. I don't know for sure whether further tweaking will be needed
   > (to the UI, most likely, or to automatic selection of credentials),
   > but testing reports suggest it's now at least worth committing to
   > trunk to get it more widely tested.

Its been working well using SSPI or KfW.

What is missing is an OpenAFS aklog that can use SSPI.
My old gssklog from 2004 could use SSPI  :-)


> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list