On 6/03/2013 10:39 p.m., Steve Hill wrote:
On 05.03.13 23:19, Amos Jeffries wrote:
Very slightly. Mostly on the grounds that NTLM is an officially
deprecated protocol - adding improved support for it it counter
productive to the goals of eradicating it from the Internet.
As much as I'd love to see the back of NTLM, there doesn't seem to be
a way of eradicating it (in Windows networks). In order to use
Kerberos you need to offer Negotiate authentication, which
automatically means you have to support NTLM (since that's also part
of Negotiate). Windows machines that are logged onto the domain will
use Kerberos, but those not logged onto the domain will use NTLM in
preference to Basic. I'm not sure what happens if both Negotiate and
Digest are offered; but Digest is unfortunately not always suitable
(depending on the authentication backend).
As submitted the patch will completely break on all installations which
allow / or @ characters in usernames. I am aware that there are
definitely some networks allowing those - whether they use PAM is
unknown.
This will need at least a helper command line option to enable the
stripping. I suggest the -r option as previously used in
negotiate_kerberos_auth.
http://www.squid-cache.org/Versions/v3/3.2/manuals/negotiate_kerberos_auth.html
Fair point - I had assumed that \ and @ wouldn't ever be used under
PAM, but it is reasonable to make this functionality optional.
I've attached the revised patch covering these comments and the
comments you made in the other email.
Many thanks.
+1 if the commiter makes that usage help text:
"-r Detect and remove Negotiate/NTLM realm from username"
Amos
