Hi André,
On 29-3-2012 10:59, André Warnier wrote:
I was considering forking the module and fixing bugs like these, but
I am not quite sure how much sense that makes given the fact that
NTLM is deprecated technology.
Huh ? Who said that ? To my knowledge, 99% of large corporations use
NTLM (Windows Domain Authentication) as their basic AAA mechanism.
Well, Microsoft said that:
"Implementers should be aware that NTLM does not support any recent
cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy
check (CRC)
<http://msdn.microsoft.com/en-us/library/780943e9-42e6-4dbe-aa87-1dce828ba82a%28v=prot.10%29#CRC>
or message digest algorithms ([RFC1321]
<http://go.microsoft.com/fwlink/?LinkId=90275>) for integrity, and it
uses RC4 for encryption. Deriving a key
<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081%28v=prot.10%29#key>
from a password is as specified in [RFC1320]
<http://go.microsoft.com/fwlink/?LinkId=90274> and [FIPS46-2]
<http://go.microsoft.com/fwlink/?LinkId=89871>. Therefore, applications
are generally advised not to use NTLM.<74>
<http://msdn.microsoft.com/en-us/library/a211d894-21bc-4b8b-86ba-b83d0c167b00%28v=prot.10%29#id74>"
Ref: http://msdn.microsoft.com/en-us/library/cc236715%28v=PROT.10%29.aspx
So, really, the convenience of Apache2::AuthenNTLM is that it is set up
relatively easy, but it only works well on 'older' infrastructure and it
has the mentioned security implications. Although, on the other hand, if
you use SSL, and if the alternative is authentication with domain
username / password, this is not much different in reality.
Kerberos (or especially mod_auth_kerb) is in my experience a pain to set
up; also, the error messages are very tricky. I found even with the
'definitive guide' on Grolmsnet it was still tedious and difficult to
understand the different error messages. I would *HEART* it if at least
the distros would make setting up mod_auth_kerb a little easier.
BTW I found that if you're on Windows it is actually quite easy to do
Single Sign on with Apache using mod_auth_sspi.
--
Mike
