[Bug 1643708] Re: Add SPNEGO special case for NTLMSSP+MechListMIC

Robie Basak 1643708 at bugs.launchpad.net
Fri Jan 20 10:50:50 UTC 2017 

@Bruce

Thank you for detailing your testing. In your test suite, do you cover
any interoperability with SPNEGO but not-Windows, whether in integration
or code path coverage? That's the use case I'm concerned about - that
someone will come along and tell us that we regressed SPNEGO against
WebSphere or something because we focused on just testing Windows.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1643708

Title:
  Add SPNEGO special case for NTLMSSP+MechListMIC

Status in krb5 package in Ubuntu:
  Fix Released
Status in krb5 source package in Trusty:
  Fix Committed
Status in krb5 source package in Xenial:
  Fix Committed
Status in krb5 source package in Yakkety:
  Fix Committed

Bug description:
  [Impact]
  MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer
  needs to implement specifically for the NTLMSSP mechanism.  This is
  required for compatibility with Windows services.

  Upstream commit:
  https://github.com/krb5/krb5/commit/cb96ca52a3354e5a0ea52e12495ff375de54f9b7

  We've run into this issue with Linux to Windows negotiation with
  encrypted http using GSSAPI.

  [Test Case]

  create a file with some credentials:

  $ echo F23:guest:guest > ~/ntlmcreds.txt
  $ export NTLM_USER_FILE=~/ntlmcreds.txt
  $ python
  import gssapi

  spnego = gssapi.raw.oids.OID.from_int_seq('1.3.6.1.5.5.2')
  c = gssapi.creds.Credentials(mechs=[spnego], usage='initiate')
  tname = gssapi.raw.names.import_name("F23/server", name_type=gssapi.raw.types.NameType.hostbased_service)
  ac = gssapi.creds.Credentials(mechs=[spnego], usage='accept')

  seci = gssapi.SecurityContext(creds=c, name=tname, mech=spnego, usage='initiate')
  seca = gssapi.SecurityContext(creds=ac, usage='accept')
  it = seci.step(token=None)
  ot = seca.step(token=it)
  it = seci.step(token=ot)
  ot = seca.step(token=it)
  it = seci.step(token=ot)

  e = seci.wrap("Secrets", True)
  o = seca.unwrap(e.message)

  o.message
  'Secrets'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1643708/+subscriptions

More information about the foundations-bugs mailing list