Re: [PATCH] Strip Windows domain in PAM basic authenticator

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 09 Mar 2013 17:39:52 +1300

On 6/03/2013 10:39 p.m., Steve Hill wrote:
> On 05.03.13 23:19, Amos Jeffries wrote:
>
>> Very slightly. Mostly on the grounds that NTLM is an officially
>> deprecated protocol - adding improved support for it it counter
>> productive to the goals of eradicating it from the Internet.
>
> As much as I'd love to see the back of NTLM, there doesn't seem to be
> a way of eradicating it (in Windows networks). In order to use
> Kerberos you need to offer Negotiate authentication, which
> automatically means you have to support NTLM (since that's also part
> of Negotiate). Windows machines that are logged onto the domain will
> use Kerberos, but those not logged onto the domain will use NTLM in
> preference to Basic. I'm not sure what happens if both Negotiate and
> Digest are offered; but Digest is unfortunately not always suitable
> (depending on the authentication backend).
>
>> As submitted the patch will completely break on all installations which
>> allow / or @ characters in usernames. I am aware that there are
>> definitely some networks allowing those - whether they use PAM is
>> unknown.
>>
>> This will need at least a helper command line option to enable the
>> stripping. I suggest the -r option as previously used in
>> negotiate_kerberos_auth.
>> http://www.squid-cache.org/Versions/v3/3.2/manuals/negotiate_kerberos_auth.html
>>
>
> Fair point - I had assumed that \ and @ wouldn't ever be used under
> PAM, but it is reasonable to make this functionality optional.
>
> I've attached the revised patch covering these comments and the
> comments you made in the other email.
>
> Many thanks.
>

+1 if the commiter makes that usage help text:
    "-r Detect and remove Negotiate/NTLM realm from username"

Amos
Received on Sat Mar 09 2013 - 04:40:04 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 09 2013 - 12:00:12 MST