Simo's Blog


GSS-NTLMSSP a new GSSAPI Mechanism

Without fanfare here is my latest wandering in the creation of obscure and complicated security infrastructure software: GSS-NTLMSSP.

NTLM is Microsoft's first effort at creating a secure authentication method that wouldn't rely on exposing the user password to the target service and instead used a Challenge Response mechanism to create proof of knowledge of a shared secret between the client and the server.

During the years Microsoft has slighlty improved the protocol and later on when they finally created the SSPI subsystem in Windows they created the NTLMSSP mechanism that incapsulated all NTLM usages.

Micosoft's SSPI is the Windows equivalent (and wire-compatible) version of GSSAPI and I've been wanting to build this mechanism since MIT Kerberos added directly supoport for the SPNEGO negotiation mechanism.

The current code is still young and many things are missing, notably the ability to use Domain Controller based authentication for the server side. However I find it is a quite useful module for clients, so here we have our first shiny release: 0.1.0.

Feel free to try and use it and let me know if you have neat ideas to improve its use and usability.

Mail me if you have comments. They will be posted online after review.