httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Life is hard, and then you die" <>
Subject Re: Announce: NTLM authentication module
Date Mon, 08 May 2000 00:34:28 GMT

On Tue, May 02, 2000 at 11:04:41PM +0000, Tim Costello wrote:
> On Wednesday, 3 May 2000, Bill Stoddard wrote:
> > Isn't challenge/response somewhat like digest authentication?  How prevalent is
it used?
> > Does it work with browsers other than IE?
> Somewhat. An excellent resource on NTLM authentication can be found at
> Bits of this discussion also happened

Note that the LanManager and Windows NT encryption info in there (which is
at the core of the stuff) was basically retrieved from the samba doc - I'm not sure
whether that info is "protected" by any license.

> before in November 1999 - take a look in the new-httpd archive for 199911, and
> follows the thread with subject 
> "Kerberos authentication and authentication (proxy ticket forwarding)". 
> The issues raised were:
>     * NTLM authentication breaks HTTP (connection based auth rather than
>       request based)
>     * As a consequence, it would be difficult to write an NTLM auth module

Sylvia solved this in an interesting way: she uses a cookie to keep track
of the fact that the browser already authenticated itself (i.e. the Cookie
header is in some ways replacing the Authorization header). Of course this
reduces the security of the whole thing to about that of Basic auth, as
anybody who can capture the cookie can access the protected resources. OTOH
given the problems NTLM has anyway it probably doesn't matter that much.

A different solution would be to hang something off the conn_rec (some sort
of conn_config similar to the request_config in request_req) to note that
the connection has been authenticated (then an attacker would have to hijack
the TCP connection - possible, but harder). That would also prevent the lookup
in shared memory on each request.



View raw message