[Cvsnt] Kerberos: gserver and SSPI

Jonathan M. Gilligan jonathan.gilligan at vanderbilt.edu
Fri Apr 12 16:40:41 BST 2002


Can you offer advice about how this works on a Win2000 peer-to-peer network
(i.e., no Domain Controller)? I have a small (5 workstation) network and
don't see the point in springing lots of money to purchase an extra computer
and software just to act as DC. My understanding is that Kerberos cannot be
made to work on Win2K without a DC (you can't set up a workstation to act as
the ticket server). Does this mean that gserver is inoperable in my
configuration?

----- Original Message -----
From: "Brian Smith" <brian-l-smith at uiowa.edu>
To: <cvsnt at cvsnt.org>
Sent: Thursday, April 11, 2002 12:13 PM
Subject: Re: [Cvsnt] Kerberos: gserver and SSPI


> :gserver: works with:
>       Windows 2000/XP
>       Linux
>       Sun Solaris
>       [probably any other unix including Mac OS X]
>
> :sspi: works with:
>       Windows 98/NT4/2000/XP
>
> Both SSPI and Kerberos support encryption and message authentication.
> Both SSPI and Kerberos use domain (realm) credentials to authenticate
> users. Both SSPI and Kerberos support the server settings that require
> the user to use encryption and/or message digests.
>
> :gserver: always uses Kerberos (CVS can be patched to work with an
> GSSAPI implementation but currently the code assumes that the GSSAPI
> implementation is Kerberos). That is why it is cross-platform compatible
> but doesn't work with Windows 95/98/NT.
>
> :gserver: always uses the credentials of the currently logged on user on
> the client (i.e. your domain credentials). You can use the Windows
> 2000/XP "runas" command to use CVS :gserver: with other credentials
> (untested).
>
> :gserver: has two implementations: one uses the MIT Kerberos
> distribution and the default implementation uses the Windows 2000/XP
> Kerberos SSP.
>
> SSPI will use Kerberos if both the client and the server support it
> (i.e. Client is Windows 2000/XP and Server is Windows 2000/XP).
> Otherwise it will use NTLM. It actually uses the Windows authentication
> negotiation mechanism (on Windows 2000/XP). That is why it is not
> cross-platform but it is compatible with Windos 95/98/NT.
>
> If you think that Kerberos is "more secure" than NTLM then you would
> consider :gserver: to be "more secure" than SSPI because SSPI will let
> people use NTLM. If you want to enforce Kerberos and or NTLM2 then you
> have to do extra configuration in the Windows local security policy.
>
> SSPI has a special CVSROOT form (:sspi:username[:password]@server:/host)
> that allows you to specify the username and password you want to
> authenticate with (when you don't want to log in with your default
> credentials) on the command line without using "runas". If you use this
> form, the password is saved in the client's CVS password cache (in the
> registry, I believe).
>
> In general, if all of your clients are on Windows 2000/XP then I would
> prefer :gserver: over :sspi: because:
>     (1) I don't like NTLM
>     (2) It is cross-platform (so you can add Unix clients later)
>     (3) I made the patch to implement the
>         Kerberos/WindowsSSP implementation ;)


_______________________________________________
Cvsnt mailing list
Cvsnt at cvsnt.org
http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt



More information about the cvsnt mailing list