fix(acceptor): upgrade sspi, use NTLM when no Kerberos#1143
fix(acceptor): upgrade sspi, use NTLM when no Kerberos#1143Guillaume Gelin (ramnes) wants to merge 1 commit intoDevolutions:masterfrom
Conversation
Guillaume Gelin (ramnes)
force-pushed
the
ramnes/update-sspi
branch
from
4b888db to
8d3008a
Compare
Upgrade sspi to incorporate latest changes. The new version introduces a real SPNEGO implementation in `ServerMode::Negotiate`, but some RDP clients seem to send raw NTLM tokens in CredSSP rather than SPNEGO-wrapped ones, which doesn't seem supported by sspi yet? In the meantime, we can use `ServerMode::Ntlm` directly when Kerberos is disabled, so that we maintain compatibility with previous sspi behavior.
Guillaume Gelin (ramnes)
force-pushed
the
ramnes/update-sspi
branch
from
8d3008a to
2357866
Compare
|
Hi, yes, you are right. Let me add more context for others and for historical reasons 🙃
Yep.
It is supported, but the user (the caller) must specify it explicitly via
Currently, that's the only way to do so. |
Upgrade sspi from 0.18 to 0.19 and picky from rc.20 to rc.22. sspi 0.19 introduces a proper SPNEGO implementation that expects SPNEGO-wrapped tokens, but mstsc and FreeRDP send raw NTLM tokens in CredSSP. Use ServerMode::Ntlm directly when Kerberos is disabled to maintain compatibility. Code changes: - acceptor: use ServerMode::Ntlm(NtlmConfig) when no Kerberos config instead of ServerMode::Negotiate with NtlmConfig as ProtocolConfig - acceptor: implement CredentialsProxy::auth_data (new trait method) - connector: KerberosConfig.hostname conversion needs unwrap_or_default (sspi 0.19 changed client_computer_name from Option<String> to String) - tokio/reqwest: use sspi types through ironrdp-connector re-export to avoid version mismatch between direct and transitive sspi deps - ffi: bump sspi dep to 0.19 Dependency workaround: - Pin uuid to <1.21 in ironrdp-client and ironrdp-mstsgu. uuid 1.21+ pulls getrandom 0.4 which needs stable rand_core 0.10.0, conflicting with picky rc.22's pinned rand_core = "=0.10.0-rc-3". Remove this pin when picky ships with stable RustCrypto deps. Based on investigation by @ramnes (PR Devolutions#1143) and @sfwwslm (issue Devolutions#1186).
|
sspi 0.19.2 was published to crates.io on Mar 27, which includes the SPNEGO refactor you needed. I put together PR #1188 that builds on your work here: it uses the published sspi 0.19 instead of the git rev pin, applies your ServerMode::Ntlm fix, and adds a few additional fixes needed for the full workspace build (new CredentialsProxy::auth_data trait method, reqwest.rs sspi re-export, uuid pin for a picky rand_core conflict documented in #1186). Credited you in the PR description. Thanks for identifying the NTLM fallback issue and getting the ball rolling on this. |
Upgrade sspi from 0.18 to 0.19 and picky from rc.20 to rc.22. sspi 0.19 introduces a proper SPNEGO implementation that expects SPNEGO-wrapped tokens, but mstsc and FreeRDP send raw NTLM tokens in CredSSP. Use ServerMode::Ntlm directly when Kerberos is disabled to maintain compatibility. Code changes: - acceptor: use ServerMode::Ntlm(NtlmConfig) when no Kerberos config instead of ServerMode::Negotiate with NtlmConfig as ProtocolConfig - acceptor: implement CredentialsProxy::auth_data (new trait method) - connector: KerberosConfig.hostname conversion needs unwrap_or_default (sspi 0.19 changed client_computer_name from Option<String> to String) - tokio/reqwest: use sspi types through ironrdp-connector re-export to avoid version mismatch between direct and transitive sspi deps - ffi: bump sspi dep to 0.19 Dependency workaround: - Pin uuid to <1.21 in ironrdp-client and ironrdp-mstsgu. uuid 1.21+ pulls getrandom 0.4 which needs stable rand_core 0.10.0, conflicting with picky rc.22's pinned rand_core = "=0.10.0-rc-3". Remove this pin when picky ships with stable RustCrypto deps. Based on investigation by @ramnes (PR Devolutions#1143) and @sfwwslm (issue Devolutions#1186).
3 participants
Upgrade sspi to incorporate latest changes. The new version introduces a real SPNEGO implementation in
ServerMode::Negotiate, but some RDP clients seem to send raw NTLM tokens in CredSSP rather than SPNEGO-wrapped ones, which doesn't seem supported by sspi yet? In the meantime, we can useServerMode::Ntlmdirectly when Kerberos is disabled, so that we maintain compatibility with previous sspi behavior.Note: I can't get the dependencies right, looks like there's a picky rc.22 / getrandom conflict; any help appreciated here!