cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: problem using NTLM authentication with default OS credentials

From: David Woodhouse <dwmw2_at_infradead.org>
Date: Sat, 12 Jul 2014 17:00:47 +0100

On Fri, 2014-07-11 at 15:50 +0200, Michael Osipov wrote:
>
> I my opinion, we can refer to the HTTP standard which mandates to use
> strongest to weakest auth. So curl would actually need to priorize
> authentication and try in that order:
>
> Kerberos > Negotiate > Digest > NTLM_WB > NTLM > Basic.
>
> KRB 5 comes before SPNEGO, bcause it can downgrade to NTLM which is less
> secure. Digest comes before NTLM because, again, less secure and
> proprietary.

Another point of view would be that NTLM_WB comes before Digest. You are
focusing on the protocol on the wire, which is too narrow.

In the grand scheme of things, automatic authentication with single sign
on *has* to be better than making the user pass a password around to
curl in cleartext so that it can do the Digest auth for itself.

-- 
dwmw2

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/x-pkcs7-signature attachment: smime.p7s

Received on 2014-07-12

This message: [ Message body ]
Next message: David Woodhouse: "GnuTLS hostname/IP checking, and 'Did you pass a valid GnuTLS cipher list'"
Previous message: David Woodhouse: "Re: [PATCH] SF bug #1302: HTTP Auth Negotiate sends Kerberos token instead of SPNEGO token"
In reply to: Michael Osipov: "Re: problem using NTLM authentication with default OS credentials"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]