Ideas Wanted: NTLMv2, Kerberos, JAAS, ...

[Michael B Allen <io...@gmail.com>]

Hi,

I'm working on implementing Kerberos 5 and NTLMv2 for an open source
CIFS client. Being a Windows / Java solution it seems to me we're distant
cousins.

I'm going to be doing classes for NTLM credentials and principals,
JAAS integration and utility classes, possibly some JNDI to do "site"
based SRV lookups (to set java.security.krb5.kdc - gotta love all that
LoginModule configuration BS), ... etc.

Is everyone on-board with Java's Subject based security code? I'm not
yet convinced but so far I'm playing along.

Do you guys have or want NTLMv2, Kerberos, SPNEGO, NTLMSSP, ...? If so,
I'm interested in hearing opinions about how to "properly" implement
such things to maximize cross-pollination.

Is anyone aware of other projects doing this sort of stuff?

In general I'm interested in hearing about anything wrt the above that
has worked well for you (or what to watch out for). I've been doing C
for a while and I want to know where Java's at with this stuff.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ...

[Alex Karasulu <ak...@apache.org>]

Hi all,

On Fri, Jun 27, 2008 at 1:29 PM, Emmanuel Lecharny <el...@apache.org>
wrote:

> Michael B Allen wrote:
>
>>  We already have NTLM and Kerberos implemented :
>>> http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support
>>>
>>>
>>
>> Hi Emmanuel,
>>
>> But I can see it's just an empty "provider".
>>
>> You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
>> include the target which is specifically designed to thwart such a
>> technique. That hack only works with NTLMv1.
>>
>> To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
>> authentication using DCERPC (or possibly the krb5-digest technique
>> used by Heimdal). Also for the acceptor you will need to do SPNEGO
>> because clients will send those tokens so you have to deal with them
>> (Windows clients at least).
>>
>>
> I would wait for Alex to reply, as he is the guy working on this part.
>

Yep yep Michael, this is for NTLMv1 using jCIFS - I have abstracted it out
with providers so if something other than jCIFS is available we can use
that.

Alex

Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ...

[Emmanuel Lecharny <el...@apache.org>]

Michael B Allen wrote:
>>  We already have NTLM and Kerberos implemented :
>> http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support
>>     
>
> Hi Emmanuel,
>
> But I can see it's just an empty "provider".
>
> You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
> include the target which is specifically designed to thwart such a
> technique. That hack only works with NTLMv1.
>
> To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
> authentication using DCERPC (or possibly the krb5-digest technique
> used by Heimdal). Also for the acceptor you will need to do SPNEGO
> because clients will send those tokens so you have to deal with them
> (Windows clients at least).
>   
I would wait for Alex to reply, as he is the guy working on this part.
>>  We also have a SPNEGO codec in sandbox, but it needs to be leveraged.
>>     
>
> Nice. You'll need that. Note that Java 1.6 supposedly has SPNEGO. But
> based on past performance by Sun in this area, I would test it very
> carefully.
>   
As ADS is expecting to work on Java 5, we won't use Java6 SPNEGO impl. 
If you are interested in what we have, here is the doco and the source 
link :

http://cwiki.apache.org/confluence/display/DIRxASN1/SpnegoCodec

code fragments :
http://svn.apache.org/viewvc/directory/sandbox/erodriguez/kerberos-spnego/

and the SPNEGO codec implementation (quite old ...)
http://svn.apache.org/viewvc/directory/sandbox/trunk/asn1-new-codec/src/java/org/apache/asn1/spnego/?pathrev=279970

plus some tests :
http://svn.apache.org/viewvc/directory/sandbox/trunk/asn1-new-codec/src/test/org/apache/asn1/spnego/codec/?pathrev=279970

Pretty rough...
>>  I think there is room for improvement in the way we handle those kind of
>> stuff. And I think we also need people to help us to improve these
>> implementations. Is there a better way than collaborating ?
>>     
>
> Well I was thinking we could share code although at this point it
> doesn't look like I'm going to steal anything from you today :-)
>   
'Steal' is not the good word. This is ASL 2.0 code, you can take it, use 
and abuse it, build a product and sell the product with it, a soon as 
you keep the Notice available :)

> I will try to separate things into reusable packages with minimal deps
> but at the moment I'm only doing the initiator so I'm not sure how
> much it will help you.
>   
Currently, I'm reviewing the LDAP BindRequest, which includes SASL 
various mechanisms. We are navigating a very same area ! It's not really 
easy, and I'm sure I will benefit from any help ! This is also the way 
Apache software are being built :)

Thanks !

-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org

Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ...

[Michael B Allen <io...@gmail.com>]

On 6/27/08, Emmanuel Lecharny <el...@apache.org> wrote:
> Michael B Allen wrote:
>
> > Hi,
> >
> >
>  Hi,
>
> > I'm working on implementing Kerberos 5 and NTLMv2 for an open source
> > CIFS client. Being a Windows / Java solution it seems to me we're distant
> > cousins.
> >
> > I'm going to be doing classes for NTLM credentials and principals,
> > JAAS integration and utility classes, possibly some JNDI to do "site"
> > based SRV lookups (to set java.security.krb5.kdc - gotta love all that
> > LoginModule configuration BS), ... etc.
> >
> > Is everyone on-board with Java's Subject based security code? I'm not
> > yet convinced but so far I'm playing along.
> >
> >
>  We already have NTLM and Kerberos implemented :
> http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support

Hi Emmanuel,

But I can see it's just an empty "provider".

You cannot do the "man-in-the-middle" thing with NTLMv2. NTLMv2 hashes
include the target which is specifically designed to thwart such a
technique. That hack only works with NTLMv1.

To create a proper NTLMv2 acceptor you must do NETLOGON pass-through
authentication using DCERPC (or possibly the krb5-digest technique
used by Heimdal). Also for the acceptor you will need to do SPNEGO
because clients will send those tokens so you have to deal with them
(Windows clients at least).

>  For Kerberos, we have some doc somewhere on the same place, but I don't
> have access to http right now, so you will have to dig the site by yourslef,
> or wait a few hours so I reach office ...
>
>
> > Do you guys have or want NTLMv2, Kerberos, SPNEGO, NTLMSSP, ...? If so,
> > I'm interested in hearing opinions about how to "properly" implement
> > such things to maximize cross-pollination.
> >
> >
>  We also have a SPNEGO codec in sandbox, but it needs to be leveraged.

Nice. You'll need that. Note that Java 1.6 supposedly has SPNEGO. But
based on past performance by Sun in this area, I would test it very
carefully.

> > Is anyone aware of other projects doing this sort of stuff?
> >
> > In general I'm interested in hearing about anything wrt the above that
> > has worked well for you (or what to watch out for). I've been doing C
> > for a while and I want to know where Java's at with this stuff.
> >
> >
>  I think there is room for improvement in the way we handle those kind of
> stuff. And I think we also need people to help us to improve these
> implementations. Is there a better way than collaborating ?

Well I was thinking we could share code although at this point it
doesn't look like I'm going to steal anything from you today :-)

I will try to separate things into reusable packages with minimal deps
but at the moment I'm only doing the initiator so I'm not sure how
much it will help you.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Re: Ideas Wanted: NTLMv2, Kerberos, JAAS, ...

[Emmanuel Lecharny <el...@apache.org>]

Michael B Allen wrote:
> Hi,
>   
Hi,
> I'm working on implementing Kerberos 5 and NTLMv2 for an open source
> CIFS client. Being a Windows / Java solution it seems to me we're distant
> cousins.
>
> I'm going to be doing classes for NTLM credentials and principals,
> JAAS integration and utility classes, possibly some JNDI to do "site"
> based SRV lookups (to set java.security.krb5.kdc - gotta love all that
> LoginModule configuration BS), ... etc.
>
> Is everyone on-board with Java's Subject based security code? I'm not
> yet convinced but so far I'm playing along.
>   
We already have NTLM and Kerberos implemented :
http://cwiki.apache.org/confluence/display/DIRxSRVx11/SASL+NTLM+Support
For Kerberos, we have some doc somewhere on the same place, but I don't 
have access to http right now, so you will have to dig the site by 
yourslef, or wait a few hours so I reach office ...

> Do you guys have or want NTLMv2, Kerberos, SPNEGO, NTLMSSP, ...? If so,
> I'm interested in hearing opinions about how to "properly" implement
> such things to maximize cross-pollination.
>   
We also have a SPNEGO codec in sandbox, but it needs to be leveraged.
> Is anyone aware of other projects doing this sort of stuff?
>
> In general I'm interested in hearing about anything wrt the above that
> has worked well for you (or what to watch out for). I've been doing C
> for a while and I want to know where Java's at with this stuff.
>   
I think there is room for improvement in the way we handle those kind of 
stuff. And I think we also need people to help us to improve these 
implementations. Is there a better way than collaborating ?

-- 
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org