Re: [PATCH] Strip Windows domain in PAM basic authenticator

From: Steve Hill <steve_at_opendium.com>
Date: Wed, 06 Mar 2013 09:39:32 +0000

On 05.03.13 23:19, Amos Jeffries wrote:

> Very slightly. Mostly on the grounds that NTLM is an officially
> deprecated protocol - adding improved support for it it counter
> productive to the goals of eradicating it from the Internet.

As much as I'd love to see the back of NTLM, there doesn't seem to be a
way of eradicating it (in Windows networks). In order to use Kerberos
you need to offer Negotiate authentication, which automatically means
you have to support NTLM (since that's also part of Negotiate). Windows
machines that are logged onto the domain will use Kerberos, but those
not logged onto the domain will use NTLM in preference to Basic. I'm
not sure what happens if both Negotiate and Digest are offered; but
Digest is unfortunately not always suitable (depending on the
authentication backend).

> As submitted the patch will completely break on all installations which
> allow / or @ characters in usernames. I am aware that there are
> definitely some networks allowing those - whether they use PAM is unknown.
>
> This will need at least a helper command line option to enable the
> stripping. I suggest the -r option as previously used in
> negotiate_kerberos_auth.
> http://www.squid-cache.org/Versions/v3/3.2/manuals/negotiate_kerberos_auth.html

Fair point - I had assumed that \ and @ wouldn't ever be used under PAM,
but it is reasonable to make this functionality optional.

I've attached the revised patch covering these comments and the comments
you made in the other email.

Many thanks.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com
Direct contacts:
    Instant messager: xmpp:steve_at_opendium.com
    Email:            steve_at_opendium.com
    Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
    Email:            sales_at_opendium.com
    Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
    Email:            support_at_opendium.com
    Phone:            +44-844-4844916 / sip:support_at_opendium.com

Received on Wed Mar 06 2013 - 09:39:40 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 09 2013 - 12:00:12 MST