Gap
CredSSP is not supported. Some locked-down environments mandate it (and it enables credential delegation / second-hop). We currently support Negotiate/Kerberos/NTLM/Basic.
Current state
- Auth methods in
crates/ironposh-client-core/src/connector/auth_sequence.rs / authenticator.rs (via sspi). No CredSSP path.
Required
- Add a CredSSP auth method (the
sspi crate provides a CredSSP implementation — wire it into the auth sequence).
- WinRM message encryption with CredSSP uses its own MIME boundary and 16 KB chunking — implement the CredSSP wrap/unwrap path (distinct from SPNEGO sealing) in
connector/encryption.rs.
- Expose
--auth-method credssp in the tokio client.
Acceptance
- e2e: connect + run a command over HTTP with CredSSP (sealed) and over HTTPS, mirroring the existing transport/auth matrix cells.
References
- pypsrp
encryption.py (CredSSP 16 KB chunking) + wsman.py credssp path.
sspi crate CredSSP.
Gap
CredSSP is not supported. Some locked-down environments mandate it (and it enables credential delegation / second-hop). We currently support Negotiate/Kerberos/NTLM/Basic.
Current state
crates/ironposh-client-core/src/connector/auth_sequence.rs/authenticator.rs(viasspi). No CredSSP path.Required
sspicrate provides a CredSSP implementation — wire it into the auth sequence).connector/encryption.rs.--auth-method credsspin the tokio client.Acceptance
References
encryption.py(CredSSP 16 KB chunking) +wsman.pycredssp path.sspicrate CredSSP.