Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NegotiateStreamPal.Unix.cs does not support default auth #66633

Open
arontsang opened this issue Mar 15, 2022 · 4 comments
Open

NegotiateStreamPal.Unix.cs does not support default auth #66633

arontsang opened this issue Mar 15, 2022 · 4 comments
Labels
area-System.Net.Security enhancement Product code improvement that does NOT require public API changes/additions help wanted [up-for-grabs] Good issue for external contributors
Milestone
Future

Comments

@arontsang
Copy link

Description

NegotiateStreamPal should support loading credential from NTLM_USER_FILE env var as per https://github.com/gssapi/gss-ntlmssp/blob/main/TESTING.txt

Delegating the credentials to gss-ntlmssp.

However, NegotiateStreamPal throws an exception before gss-ntlmssp has a chance to provide its own credentials.

Reproduction Steps

create an ntlm user file as per https://github.com/gssapi/gss-ntlmssp/blob/main/TESTING.txt
Set NTLM_USER_FILE env var to point to said file.
Then do an http get from an NTLM web server.

Expected behavior

HTTP 200

Actual behavior

System.PlatformNotSupportedException: NTLM authentication is not possible with default credentials on this platform.

Regression?

No response

Known Workarounds

Provide the credentials from dotnet. Which is a security risk that is advised against specifically.

Configuration

OS = Amazon Linux 2
Dotnet 3.1

Other information

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added area-System.Net untriaged New issue has not been triaged by the area owner labels Mar 15, 2022
@ghost
Copy link

ghost commented Mar 15, 2022

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

NegotiateStreamPal should support loading credential from NTLM_USER_FILE env var as per https://github.com/gssapi/gss-ntlmssp/blob/main/TESTING.txt

Delegating the credentials to gss-ntlmssp.

However, NegotiateStreamPal throws an exception before gss-ntlmssp has a chance to provide its own credentials.

Reproduction Steps

create an ntlm user file as per https://github.com/gssapi/gss-ntlmssp/blob/main/TESTING.txt
Set NTLM_USER_FILE env var to point to said file.
Then do an http get from an NTLM web server.

Expected behavior

HTTP 200

Actual behavior

System.PlatformNotSupportedException: NTLM authentication is not possible with default credentials on this platform.

Regression?

No response

Known Workarounds

Provide the credentials from dotnet. Which is a security risk that is advised against specifically.

Configuration

OS = Amazon Linux 2
Dotnet 3.1

Other information

No response

Author: arontsang
Assignees: -
Labels:

area-System.Net, untriaged
Milestone: -

@ghost
Copy link

ghost commented Mar 15, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

NegotiateStreamPal should support loading credential from NTLM_USER_FILE env var as per https://github.com/gssapi/gss-ntlmssp/blob/main/TESTING.txt

Delegating the credentials to gss-ntlmssp.

However, NegotiateStreamPal throws an exception before gss-ntlmssp has a chance to provide its own credentials.

Reproduction Steps

create an ntlm user file as per https://github.com/gssapi/gss-ntlmssp/blob/main/TESTING.txt
Set NTLM_USER_FILE env var to point to said file.
Then do an http get from an NTLM web server.

Expected behavior

HTTP 200

Actual behavior

System.PlatformNotSupportedException: NTLM authentication is not possible with default credentials on this platform.

Regression?

No response

Known Workarounds

Provide the credentials from dotnet. Which is a security risk that is advised against specifically.

Configuration

OS = Amazon Linux 2
Dotnet 3.1

Other information

No response

Author: arontsang
Assignees: -
Labels:

area-System.Net.Security, untriaged
Milestone: -

@karelz
Copy link
Member

karelz commented Mar 29, 2022

Triage:

  • On one hand it is implementation detail of gss
  • On the other hand, it would be useful to have -- we need to understand how portable it is - is it Unix only? What about Mac? Something similar on Windows? ... What about security implications?

@karelz karelz added this to the Future milestone Mar 29, 2022
@karelz karelz added enhancement Product code improvement that does NOT require public API changes/additions and removed untriaged New issue has not been triaged by the area owner labels Mar 29, 2022
@wfurt wfurt added the help wanted [up-for-grabs] Good issue for external contributors label Nov 16, 2022
@wfurt
Copy link
Member

wfurt commented Nov 16, 2022

We should not process the file directly but we can let gssapi to decide instead of failing early in NegotiateStream.

@mangod9 mangod9 mentioned this issue Jun 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Net.Security enhancement Product code improvement that does NOT require public API changes/additions help wanted [up-for-grabs] Good issue for external contributors
Projects
None yet
Milestone
Future
Development

No branches or pull requests
4 participants
@arontsang @karelz @danmoseley @wfurt