> Gesendet: Montag, 04. August 2014 um 08:22 Uhr > Von: "Dan Fandrich" <d...@coneharvesters.com> > An: curl-library@cool.haxx.se > Betreff: Re: [PATCH] docs: Update SPNEGO and GSS-API related doc sections > > On Sun, Aug 03, 2014 at 11:02:21PM +0200, Michael Osipov wrote: > > > On Sun, Aug 03, 2014 at 08:53:55PM +0200, Michael Osipov wrote: > > > > Am 2014-08-03 um 11:27 schrieb Dan Fandrich: > > > > >On Sun, Aug 03, 2014 at 10:50:21AM +0200, Michael Osipov wrote: > > > > >>Am 2014-08-03 um 10:27 schrieb Dan Fandrich: > > > > >>>On Sat, Aug 02, 2014 at 02:18:29PM +0000, Michael Osipov wrote: > > > > >>>>@@ -180,7 +180,8 @@ FOOTNOTES > > > > >>>> *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, > > > > >>>> WinSSL (native > > > > >>>> Windows), Secure Transport (native iOS/OS X) or qssl > > > > >>>> (native IBM i) > > > > >>>> *2 = requires OpenLDAP > > > > >>>>- *3 = requires a GSSAPI-compliant library, such as Heimdal or > > > > >>>>similar > > > > >>>>+ *3 = requires a GSS-API implementation, such as Heimdal, MIT > > > > >>>>Kerberos or > > > > >>>>+ SSPI (native Windows) > > > > >>>> *4 = requires nghttp2 and possibly a recent TLS library > > > > >>>> *5 = requires a krb4 library, such as the MIT one or similar > > > > >>>> *6 = requires c-ares > > > > >>> > > > > >>>Minor nit on this oneāthis implies that SSPI provides a GSS-API > > > > >>>implementation. > > > > >>>This might be slightly clearer: > > > > >>> > > > > >>>+ *3 = requires a GSS-API implementation such as Heimdal or MIT > > > > >>>Kerberos, or > > > > >>>+ SSPI (native Windows) > > > > >> > > > > >>Infact, SSPI is a proprietary GSS-API implemenation but I do > > > > >>understand what you are referring to. I have trouble phrasing this in > > > > >>a unambigious way. > > > > > > But if SSPI provides an GSS-API implementation, why doesn't ftp.c use it? > > > If SSPI provides the same API as as MIT/Heimdal, there would be no reason > > > to > > > avoid using it there. Where is my understanding going wrong? > > > > Your understanding is correct, but you aren't aware of the details. SSPI > > serves > > the same purpose as GSS-API but Microsoft did choose a completely different > > approach > > in a non-compatible API/ABI when this emerged in Windows 2000. So you > > always need > > two code paths and no one did that for FTP. THIS IS Microsoft. > > That's what I suspected. So, calling what it does GSS-API is inaccurate as it > doesn't provide the GSS Application Programming Interface. In my reading on > this, I discovered that SAP has provided an Open Source GSS-API emulation > wrapper over SSPI called gsskrb5.dll. It would be interesting to see if this > is sufficient to enable Kerberos support in ftp on Windows.
I am aware of that wrapper from SAP because this is at our company's SAP core but I did not know that is actually open source. It is a tremendous amount of work to bridge both as they have different approaches in conventions. I am try to bridge this too, SSPI to JGSS. Bumby, very bumpy road ahead. Where is that library available? I wouldn't pull this into curl, I would rather create a clean abstraction layer between curl and a framework and use that throughout libcurl for all protocol, but that is work too :-) > > > > >>Is this better: requires a GSS-API implementation (Unix-like OS) such > > > > >>as Heimdal or MIT Kerberos, or SSPI (native Windows) > > > > >> > > > > >>In general, those who know that SPNEGO is, will know the difference > > > > >>between GSS-API and SSPI, IMHO. > > > > >> > > > > >>How would you rephrase that? > > > > > > > > > >I'm no expert on these differences, but I note that the Kerberos code > > > > >for > > > > >FTP, IMAP, POP3, SMTP is disabled if SSPI is in use. > > > > > > > > Except FTP none of those SASL-aware protocols use any GSS mechanism in > > > > curl. > > > > > > Ah, I see it now. Those protocols detect a GSS-API request but there's no > > > actual code to perform it. > > > > Yes exactly, the server advertises all supported SASL mechs, e.g., LOGIN > > GSSAPI, EXTERNAL and you SASL client is free to choose one of them. > > > > > > >If SSPI truly provided > > > > >a GSS-API implementation, then I would expect this GSS-API code to be > > > > >enabled. > > > > >As *3 seems to conflate GSS-API and SPNEGO requirements, perhaps it > > > > >should be > > > > >split into two line items in the spirit of clarified documentation. > > > > > > > > What about: > > > > > > > > *3 = requires a GSS-API implementation (Heimdal, MIT Kerberos) or > > > > SSPI (native Windows) > > > > > > This still isn't accurate in the case of FTP, since FTP won't support > > > Kerberos > > > with SSPI. > > > > You are right. I will introduce another footnote for FTP and Kerberos 5 > > support. > > Is that acceptable? > > That sounds like it would accurately describe the state of support for > Kerberos > in HTTP and FTP. Preparing a reroll. Michael ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
