Re: [RFC] merging NTLM and Negotiate scheme components

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 17 Dec 2011 03:51:57 +1300

On 17/12/2011 3:42 a.m., Henrik Nordström wrote:
> fre 2011-12-16 klockan 22:09 +1300 skrev Amos Jeffries:
>> As Henrik mentioned a few days ago the NTLM and Negotiate auth logics
>> are pretty much cut-n-paste copies of each other with a bit of symbol
>> renaming and a slight difference in bugs. The more I abstract the
>> objects back to a single core auth library with inherited
>> scheme-specific objects, the more this becomes visible.
> Hmm.. wonder what happened with kerberos? Which btw should be identical
> to negotiate except for scheme name.

There is a comment in the Negotiate code accepting it as input but
essentially saying "erase on sight, never advertise as a auth scheme".

>
> NTLM = Microsoft NTLMSSP
> Kerberos = GSSAPI
> Negotiate = Microsoft SPNEGO
>
> SPNEGO is a thin wrapper negotiating the actual auth method. I.e.
> normally GSSAPI or NTLM, but also open for additional methods.
>
>> I've been wondering whether it would be a good idea to make these two
>> components libraries inherit from each other one way or another instead
>> of independently from the abstracted auth core objects.
> Yes, abstracting the stateful auth scheme would be beneficial. NTLM and
> Negotiate/Kerberos only differ slightly in one of the helper commands.
>
> Regards
> Henrik
>

Thanks. Onto the TODO list with it then.

Amos
Received on Fri Dec 16 2011 - 14:52:08 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 17 2011 - 12:00:08 MST