I'm going to try to summarize the discussion thus far. NTLM auth is horribly broken, however: 1) It's currently the only auth scheme you can get SSO with 2) It does not send the password in the clear over the wire
Therefore, if you are already running a Windows domain on your network, you might as well use NTLM auth with Squid. However, NTLM is still horribly broken. Therefore, a properly functioning auth scheme needs to be implemented by OS, directory service, and browser vendors to replace NTLM. The best candidates for this are: 1) Kerberos 2) md5-sess Kerberos has the added benefit of already being part of both Unix and Windows (2000 and above) - all that is missing is browser support. If OS and browser vendors adopted such a solution, it would readily be added to Squid. Henrik and Robert, thank you for a very enlightening discussion, and I hope my summary here effectively hit the main points. However, I (usually) know enough to know when I'm out of my depth, so I'm going to exit this thread now, and leave further discussion to the experts. Adam --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
