RubySSPI - Enabling NTLM proxy authentication on Windows

All,

I’m pleased to announce the release of the RubySSPI library. So named
because it allows interaction with Microsoft’s Security Support
Provider Interface (SSPI) API, this library enables Ruby scripts using
Net::HTTP or open-uri to authenticate as the current Windows user with
proxy servers requiring NTLM authentication (e.g. Microsoft’s ISA).

What is it?

This library provides bindings to the Win32 SSPI libraries, which
implement various security protocols for Windows. The library was
primarily developed to give Negotiate/NTLM proxy authentication
abilities to Net::HTTP (and thus, open-uri), similar to support found
in Internet Explorer or Firefox.

The library is NOT an implementation of the NTLM protocol, and does
not give the ability to authenticate as any given user. It is able to
authenticate with a proxy server as the current user. It also does not
provide full bindings to the SSPI library, but could be extended in
that direction if anyone is so inclined. Someone recently mentioned
the idea of extending it to allow NTLM authentication with SQL server
(removing the need for usernames or passwords in configuration files).

What does it do for me?

If you are behind a proxy that authenticates all traffic, then this
library will enable your ruby scripts to authenticate with the proxy
as the current user. This solves the shortcomings of other solutions
(such as Basic authentication or the python APS proxy[1]) which
require you to enter your username and password in clear text at least
once.

It also enables scripts such as the “gem” commands to work without
special hacking. Methods of enabling these scripts are described in
the accompanying documentation.

Where is it?

http://rubyforge.org/projects/rubysspi

How do I install it?

gem install rubysspi

Once the gem is installed, view the RDoc documenation for complete
instructions on using the library.

Anything else?

Please use the forums on the project page for bug reports, support
requests, etc. Enjoy the library!

Justin

[1] A proxy, implemented in python, which handles NTLM authentication
for you. It is implemented as a proxy-proxy, meaning you run it
locally and point all web traffic at it. It does require you enter
your username and password to work - it does not authenticate as the
“current” user. http://ntlmaps.sourceforge.net/

Justin B. wrote:

All,

I’m pleased to announce the release of the RubySSPI library. So named
because it allows interaction with Microsoft’s Security Support
Provider Interface (SSPI) API, this library enables Ruby scripts using
Net::HTTP or open-uri to authenticate as the current Windows user with
proxy servers requiring NTLM authentication (e.g. Microsoft’s ISA).

Hi Justin,

As I mentioned off-list, I’m curious if this can be used with DBI or
Rails for Sql Server to avoid storing passwords in a config file.

(It was actually Brian T. who brought this up originally:
http://tinyurl.com/y6pk2q).

Possible?

Thanks,

Dan

On 11/1/06, Daniel B. [email protected] wrote:

Hi Justin,

As I mentioned off-list, I’m curious if this can be used with DBI or
Rails for Sql Server to avoid storing passwords in a config file.

When I put this together, I learned that the NTLM authentication
depends on an exchange of tokens, between the client and server. The
library implements this exchange. It first allows you to get an
initial token (SSPI::NegotiateAuth#get_initial_token), which is sent
to the server via some transport mechanism. A response is received,
which is passed back into the API
(SSPI::NegotiateAuth#complete_authentication). If the authentication
has succeeded, that calls returns a value indicating so. The SSPI API
indicates that more exchanges may occur but I never ran into that
situation in my development, so my library doesn’t support it. It
could easily be added, though, since that back-and-forth is just
continued until something fails or succeeds.

Presumably, if SQL server follows the same model, a driver could be
coded which takes advantage of the Win32 API to do the authentication.
That also assumes someone wants to write a pure-Ruby SQL server
driver. I suspect most people are happy with the ODBC provided one,
which already supports this mechanism through its connection string
(i.e. “Integrated Security=SSPI”)

Justin

On 11/13/06, Charles R. [email protected] wrote:

In order to use gems transparently with RubySSPI, I simply opened up
the gem.bat file in %rubydir%\bin and changed line 6 to read:

Glad to hear it worked for you! If you are adventurous enough, there
is also a small patch script included that will update Ruby’s net/http
library to handle NTLM authentication transparently. Details should be
in the README.

Thanks for the kind words!

Justin

On Nov 1, 5:02 pm, “Justin B.” [email protected] wrote:

I’m pleased to announce the release of the RubySSPI library.

Wow, Justin, thanks so much, this is a godsend. I just tried installing
Ruby at work (behind an NTLM proxy) and instantly discovered I couldn’t
use gems. I did a bit of googling this morning, found this post and
tried RubySSPI, half expecting something not to work, as is so often
the case. But, to my delight, after adding the HTTP_PROXY environment
variable and copying spa.rb to site_ruby directory it worked first time
with absolutely no hassle (hint to anyone else reading this: read the
README.txt file in the rubysspi gem directory).

In order to use gems transparently with RubySSPI, I simply opened up
the gem.bat file in %rubydir%\bin and changed line 6 to read:

“%~d0%~p0ruby” -x -rspa “%~f0” %*

(I just added the -rspa).

Now gems works just like it does when not behind an NTLM proxy. As a
test, I’ve successfully installed Rails and Mongrel without errors.

Nice work and thanks once again.

Charles

Justin B. wrote:

All,

I’m pleased to announce the release of the RubySSPI library. So named
because it allows interaction with Microsoft’s Security Support
Provider Interface (SSPI) API, this library enables Ruby scripts using
Net::HTTP or open-uri to authenticate as the current Windows user with
proxy servers requiring NTLM authentication (e.g. Microsoft’s ISA).

Just to add another vote of thanks for this. I’ve been stuck behind
big-bank corporate proxies with NTLM authentication since before the
dawn of gems and today marks the first time that I’ve ever been able to
use “gem install” and have it just work.

This is a significant step in increasing the likelihood of Ruby
adoption in large organisations - I expect it to reduce significantly
the size of hurdle that potential adopters have to leap.

Thanks!

Mike W.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs