RFR 6722928: Support SSPI as a native GSS-API provider
Michael Osipov
1983-01-06 at gmx.net
Fri Mar 22 16:23:27 UTC 2019
Am 2019-03-22 um 16:28 schrieb Nico Williams:
> On Thu, Mar 21, 2019 at 10:17:36PM +0100, Michael Osipov wrote:
>> * header comment: Why do actually exclude NTLM from SPNEGO? Let SSPI work as
>> it is intended to work. Means less code you have to maintain
>
> There's a few reasons:
>
> - NTLM doesn't have an OID, at least as I remember
I don't agree:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/e21c0b07-8662-41b7-8853-2b9184eab0db
Heimdal uses it, look at a SPNEGO token from SSPI in Wireshark, you'll
see it.
> - the JDK's JGSS stuff is very Kerberos-specific, especially w/ regards
> to the ServicePermission stuff
Granted.
> IMO JAAS (and with it, *Permission) should be removed with prejudice now
> that applet support has been removed. Perhaps stubs should be left
> behind for compatibility reasons, and all the doAs*() methods should
> just act as though permission is granted.
>
> Removing JAAS would be a wonderful simplification, then the JGSS stuff
> could stop being Kerberos-specific.
Fully agree, it has been a pain in the last couple of years. This would
also require an RFC update for the JGSS bindings to logon onto network
with username/password or keytab w/o login modules.
Michael
More information about the security-dev
mailing list