Re: NTLM

===
----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Robert Collins" <robert.collins@itdomain.com.au>; "Squid Developers
Mailinglist" <squid-dev@squid-cache.org>
Sent: Sunday, February 24, 2002 2:43 PM
Subject: Re: NTLM

> On Sunday 24 February 2002 04:15, Robert Collins wrote:
>
> > As for handing the negotiate packet to the helper, we're actually
> > considering giving the helper less, not more. The windbindd helper
> > opens the door to allowing squid generated challenges, which means
> > much more efficient processing, and less complex internal
> > structures, but on the down side needs more smarts. So we're
> > looking at a protocol v4 in the next release anyway.
>
> From a security perspective I would prefer if the challenge was
> generated outside of Squid. I do not want Squid to require the needed
> permissions to get into said "secure channel".

It's an admin issue. If squid is compromised it can always issue chosen
plaintext.

> I am pretty sure the winbind people agrees on this principle.

Actually, they think squid should generate the challenge too :}.

> There is reasons to why the endpoints needs to be authenticated to
> perform such type of authentication. Nothing major, but still...

Sure. The point is that squid is known, auditable, and is an application
on the member machine. Pretty much the same goes on NT, if you are on
the machine, you can do this.

Rob
Received on Sat Feb 23 2002 - 22:07:11 MST