[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev NTLM authentication question
|
From: |
David Woolley |
|
Subject: |
Re: lynx-dev NTLM authentication question |
|
Date: |
Wed, 16 Sep 1998 08:12:53 +0100 (BST) |
> Does lynx support NTLM (NT Lan Manager) Authentication? I love lynx and use
> it quite a bit and it would be cool if lynx did support NTLM authentication.
No. NTLM is a proprietary protocol from Microsoft, although there are
freeware implementations of the same cryptographic procedures in the SAMBA
package. I don't know if there is any public documentation of the protocol
as used over HTTP. Encryption used for authentication is exportable from
the USA and I don't believe there are patent royalty issues in this area,
but you should not take my word for that.
NTLM should only be a problem on intranets or for local users calling in
over the internet. The server can be configured to support basic
authentication and except through ignorance, or a belief that no-one
would use anything except current generation Microsoft software++, this
should be done for any pages made available to the public. (Running
basic authentication over SSL is more portable and probably more
secure, although you need to refer to the Lynx web site for the issues
on SSL and Lynx. Running SSL authentication for both client and server
is even better, but has administrative problems - I don't think any
Lynx SSL solutions support this.)
Because of its essential limitation to closed systems, there is probably
not much demand for the feature from the people likely to implement it;
how are your C programming skills?
As I remember it, the cryptographic side of the protocol is that the user's
password is scrambled with one algorithm then combined with a random number
sent from the server and scrambled again with another algorithm before
being transmitted. The server side only stores the result of the first
scrambling. Basic authentication needs clear text to be transmitted (but
this is reversibly encrypted on an SSL connection). Simple challenge
response systems require clear text to be stored. The claim for the NT
system is that clear text is neither stored nor transmitted. However,
for a slightly modified client, the scrambled password is just as good
as the original, even though you can't discover the original, so it is
not really that much more secure against compromises of the password file
on the server.
++ Just seen your email address - yes your employer probably doesn't
expect you to use anything but current generation Microsoft software!