On 05.03.13 23:19, Amos Jeffries wrote:
> Very slightly. Mostly on the grounds that NTLM is an officially
> deprecated protocol - adding improved support for it it counter
> productive to the goals of eradicating it from the Internet.
As much as I'd love to see the back of NTLM, there doesn't seem to be a
way of eradicating it (in Windows networks). In order to use Kerberos
you need to offer Negotiate authentication, which automatically means
you have to support NTLM (since that's also part of Negotiate). Windows
machines that are logged onto the domain will use Kerberos, but those
not logged onto the domain will use NTLM in preference to Basic. I'm
not sure what happens if both Negotiate and Digest are offered; but
Digest is unfortunately not always suitable (depending on the
authentication backend).
> As submitted the patch will completely break on all installations which
> allow / or @ characters in usernames. I am aware that there are
> definitely some networks allowing those - whether they use PAM is unknown.
>
> This will need at least a helper command line option to enable the
> stripping. I suggest the -r option as previously used in
> negotiate_kerberos_auth.
> http://www.squid-cache.org/Versions/v3/3.2/manuals/negotiate_kerberos_auth.html
Fair point - I had assumed that \ and @ wouldn't ever be used under PAM,
but it is reasonable to make this functionality optional.
I've attached the revised patch covering these comments and the comments
you made in the other email.
Many thanks.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:steve_at_opendium.com
Email: steve_at_opendium.com
Phone: sip:steve_at_opendium.com
Sales / enquiries contacts:
Email: sales_at_opendium.com
Phone: +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
Email: support_at_opendium.com
Phone: +44-844-4844916 / sip:support_at_opendium.com
This archive was generated by hypermail 2.2.0 : Sat Mar 09 2013 - 12:00:12 MST