New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for GSS-SPNEGO bind #33
Conversation
@awakecoding Thanks for the PR! I gave it a brief once-over since I don't have the time for much more ATM. It's OK with two caveats: I think I'd prefer a different way of parsing (more like exops), and I'd place the whole thing behind a compile-time feature ( |
@inejge thanks, I was expecting to have to make modifications before it is clean enough to be merged. I need to make one unexpected small change before we can merge this: yes, the bind works, but in its current form GSS-SPNEGO confidentiality and integrity are negotiated. In other words, all messages following the GSS-SPNEGO bind are encapsulated in SASL buffers with support for confidentiality (encryption) and integrity (signing) based on a session key derived from the NTLM or Kerberos exchange. I've checked MS-ADTS and this feature works only without TLS, if it is used over TLS, Active Directory will reject the requests. I've managed to disable confidentiality and integrity and it works, but I'd like your input on how such a feature could be added to the current code. This is a significant change: a mutable context (the SPNEGO context) needs to be preserved for the entire LDAP connection. All messages being sent need to be wrapped in SASL buffers with optional encryption and signing. All messages being received need to handle the SASL buffer encapsulation layer, optionally decrypt and validate the signatures. For this PR, I'll add the necessary options to sspi-rs to disable confidentiality and integrity negotiation in the NTLM exchange, but after that I'd look into supporting this feature. Active Directory does not enforce LDAPS by default, which means this is likely the best protection against MITM attacks on LDAP traffic when TLS is not in use (TLS remains the preferred option, always). |
@awakecoding I've opened the For the rest, there are two-and-a-half changes I'd prefer to see:
I'll take care of hiding all this behind a compile-time feature. |
Re confidentiality/integrity: technically, it can be handled similarly to TLS. See how STARTTLS is implemented in Now, I don't recommend starting that work until I see how the crate can be migrated from the original |
@inejge thanks a lot for taking the time to reorganize and cleanup my changes :) Yes, there are a few improvements that should be done in the sspi-rs crate (I agree about accepting &str). The original code came from somebody else, my long term goal is to refactor it to match the original SSPI API much more closely, and eventually support native SSPI modules on Windows, which should get us integrated windows authentication support for free. |
@awakecoding Since this PR went quiet, do you plan to continue work on it? I can wrap it up myself, but it'll take a week or two. |
@inejge please go ahead and wrap it up, even if it takes a week or two, that's fine. I'll just rebranch from master after the cleaned up version has been merged, and then we can close this PR without merging my original changes. Thanks a lot! |
This pull request adds support for the GSS-SPNEGO bind type with NTLM. There is no support for integrated Windows authentication or Kerberos at this point. This has been tested against Windows Active Directory, compared against sample Wireshark captures.