GSSAPI compatibility

David Woodhouse dwmw2 at
Thu Jul 3 04:09:47 PDT 2014

OK, I think I've done my due diligence on testing the GSSAPI support. If
anyone cares about an OS I've missed then please test and let me know of
any issues.

Kerberos authentication to HTTP and SOCKS servers is working on OpenBSD
5.5, NetBSD 6.1.4, FreeBSD 9, and OSX (10.6.8). And also of course on
Linux (Fedora 20).

Automatic NTLM authentication via Samba's ntlm_auth helper is working
under Linux, and it looks like it was *trying* under OSX although
Samba/winbind on OSX didn't know my password so it failed as expected.
There's no good reason that shouldn't work elsewhere as long as
ntlm_auth is working. 

Negotiate/GSSAPI authentication to an HTTP proxy using NTLM instead of
Kerberos is also working, at least under Linux, using GSS-NTLMSSP.
Again, there's no good reason it shouldn't work elsewhere as long as
GSS-NTLMSSP is installed and working.

To enable NTLM in Negotiate auth, I had to manually select the SPNEGO
mechanism (commit dbf058ab), which actually *breaks* SOCKS (but not
HTTP) auth for OpenBSD 5.2 (but not 5.5) and for Solaris 11. I don't
think I care — AFAICT this is a bug in their Kerberos implementations
and Not My Fault™. I could perhaps create an option to avoid SPNEGO
but... life's too short.

(The details: OpenBSD 5.2 complains of an invalid MIC in the SPNEGO
response from the server on successful auth. And Solaris refuses a
gss_wrap() call after successfully authenticating, claiming that the
operation is unsupported. Although it works without SPNEGO in both
cases. And works for HTTP too, since the GSSAPI exchange is simpler

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list