Hello, just to make this point clear:

Cntlm doesn't and never have used libntlm library, any parts thereof, nor any other external library for that matter, linked or source-included. Entire code was written by me from scratch, in a clean room environment. I wrote it at the beginning of 2006 for non-Windows systems in the corporation I worked for and GPL'd it about year later. As acknowledged and documented, I imported MD4, MD5, HMAC-MD5, Base64 and DES routines. Those come from gnulib, an excellent source of high quality, well tested GPL code.

Unfortunately, libntlm didn't exist at the time and in fact still couldn't be used today. I just had a look at it and it apparently provides only the common basic set of NTLMv1 features (just like other "NTLM-enabled" Linux projects). Cntlm has to support all NTLM variants, including some optional (but in reality required) NTLMv2 features and flags. Apart from full NTLM, NTLMv2 and NTLM2SR protocols, Cntlm implements NT- and LM(2)-only modes for legacy appliances/networks, the nowadays often used backwards-compatible LM2 higher security extension used in mixed NTLM/NTLMv2 domains and of course NTLMv2 signing / security options. To my knowledge, there is no other GPL C code including all this functionality except for Samba, I'd presume, but their code-base is way too intricate and has too many (intra-)dependencies to be useful in a minimalistic humble daemon like Cntlm. :)

As far as "security maintenance" goes, there hasn't been a single security (or memory management) bug in the 4 years of public use -- if I remember correctly.

--
David Kubicek





--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to