Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Thanks for the detailed reply Brian. I do have a few more questions still. - SSPI first tries to use Kerberos, otherwise it uses NTLM. Am I right that this is Windows doing this? If later on Microsoft add some other security protocols, it would automatically use those, if the SSPI API does? - Is there a user-level term for "SSPI"? That seems to be more than API that you use to talk to Windows. Just describing it as "Windows authentication (:sspi:)" might be reasonable. - How does SSPI relate to :ntserver:? Which is more secure, is ntserver being deprecated? - Can SSPI connect to a Unix CVS server? (With Samba?) Thanks for all your help, Francis (still getting his head round this to work out how to describe them in the user interface ;) On Thu, 11 Apr 2002 12:13:21 -0500, Brian Smith <brian-l-smith at uiowa.edu> wrote: >:gserver: works with: > Windows 2000/XP > Linux > Sun Solaris > [probably any other unix including Mac OS X] > >:sspi: works with: > Windows 98/NT4/2000/XP > >Both SSPI and Kerberos support encryption and message authentication. >Both SSPI and Kerberos use domain (realm) credentials to authenticate >users. Both SSPI and Kerberos support the server settings that require >the user to use encryption and/or message digests. > >:gserver: always uses Kerberos (CVS can be patched to work with an >GSSAPI implementation but currently the code assumes that the GSSAPI >implementation is Kerberos). That is why it is cross-platform compatible >but doesn't work with Windows 95/98/NT. > >:gserver: always uses the credentials of the currently logged on user on >the client (i.e. your domain credentials). You can use the Windows >2000/XP "runas" command to use CVS :gserver: with other credentials >(untested). > >:gserver: has two implementations: one uses the MIT Kerberos >distribution and the default implementation uses the Windows 2000/XP >Kerberos SSP. > >SSPI will use Kerberos if both the client and the server support it >(i.e. Client is Windows 2000/XP and Server is Windows 2000/XP). >Otherwise it will use NTLM. It actually uses the Windows authentication >negotiation mechanism (on Windows 2000/XP). That is why it is not >cross-platform but it is compatible with Windos 95/98/NT. > >If you think that Kerberos is "more secure" than NTLM then you would >consider :gserver: to be "more secure" than SSPI because SSPI will let >people use NTLM. If you want to enforce Kerberos and or NTLM2 then you >have to do extra configuration in the Windows local security policy. > >SSPI has a special CVSROOT form (:sspi:username[:password]@server:/host) >that allows you to specify the username and password you want to >authenticate with (when you don't want to log in with your default >credentials) on the command line without using "runas". If you use this >form, the password is saved in the client's CVS password cache (in the >registry, I believe). > >In general, if all of your clients are on Windows 2000/XP then I would >prefer :gserver: over :sspi: because: > (1) I don't like NTLM > (2) It is cross-platform (so you can add Unix clients later) > (3) I made the patch to implement the > Kerberos/WindowsSSP implementation ;) > >Let me know if you have more questions. > >- Brian > > > >Francis Irving wrote: >> Can somebody explain to me the difference between gserver and SSPI? >> Is there any documentation on them, or how to use them? >> >> I would like to know so I can put an appropriate description in the >> checkout dialog box for TortoiseCVS, but I'm curious anyway as I've >> never used Kerberos. >> >> Francis >> _______________________________________________ >> Cvsnt mailing list >> Cvsnt at cvsnt.org >> http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs >> > >_______________________________________________ >Cvsnt mailing list >Cvsnt at cvsnt.org >http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs _______________________________________________ Cvsnt mailing list Cvsnt at cvsnt.org http://www.cvsnt.org/cgi-bin/mailman/listinfo/cvsnt https://www.march-hare.com/cvspro/en.asp#downcvs