NT domain authentication for WinVNC?
James Nelson
xi "at" employees.org
Sun, 11 Jul 1999 20:05:06 +0000
OK, first, let me say I am much impressed, and very appreciative of all the
responses.
This patch sounds great---I'll be testing it out tomorrow. As for what API
to use for authentication: The problems I would see in using the change
password function would be limited to domains where password policies might
be fairly strict. A policy that requires password uniqueness is one example.
Another call you could try is LogonUser. It should return a false value if
the username/password/domain troika failed.
As an adjunct to this (based on another response), you could check a local
(or global) group for access rights, say with NetUserGetGroups. I found one
example here:
http://mvps.org/win32/network/nugg.cpp
Not sure what security context a process has to be in to call this. And
there are probably more elegant ways of checking group membership for a
user.
Thanks,
James Nelson...
-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of the wikster
Sent: Sunday, July 11, 1999 8:53 AM
To: 'vnc-list "at" uk.research.att.com'
Subject: RE: NT domain authentication for WinVNC?
Okay, after hearing so many requests for this patch, I decided to forfeit
my social life for this weekend and write it. I made changes to both the
WinVNC server and vncviewer client for Windows. At this time I have not
changed the Java viewer or any other viewers. You can FTP it from
ftp://wik.res.cmu.edu/pub/vnc_ntauth/ Binaries and sources are
available in winvnc-ntauth-bin.zip and winvnc-ntauth-src.zip,
respectively.
There are several limitations listed in the included README.txt file. For
instance, I have not found a better way to verify the password than to use
the NetUserChangePassword() API. What I do is attempt to change the
password to the given value. Since the function requires the current
password to work properly, it will fail if an incorreect password is given
and thus, the authentication fails and nothing changes. Otherwise, if the
given password is correct, the password is "changed" to the same value
that it had before. Again, if anyone knows of a better way to do this,
please let me know. There's an API to get a one-way LanMan encrypted
version of the password. But, I don't know how to encrypt a user-supplied
password (for comparison purposes).
Also, the password, username and NT domain are sent over the network in
cleartext, (unlike the VNC protocol which merely sends challenge/response
keys and never the actual password).
I have a limited set of machines/configurations to test this on, so it may
have some bugs. It does run as a service, though you MUST enter the NT
domain if you're connecting to a WinVNC server that is running as a
service. If you do find a problem or have a suggestion, please let me
know! :)
-- Jared Smolens
>
> >it would be nice...
>
> Maybe if we all keep wishing out loud........
>
/''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''\
| Jared Smolens Electrical and Computer Engineering |
| www.rabidpenguin.org Carnegie Mellon University |
| jsmolens+ "at" andrew.cmu.edu Pittsburgh, PA |
| "Counting in binary is just like decimal if you're all thumbs" |
\,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/
---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------