[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: lynx-dev NTLM authentication question
|
From: |
Kaushik Pushpavanam |
|
Subject: |
RE: lynx-dev NTLM authentication question |
|
Date: |
Thu, 17 Sep 1998 11:59:45 -0700 |
Hi --
Thanks for the detailed reply. I have decent C programming skills - ported
an old version of sendmail to Tandem. I am going to try both approaches -
making lynx work with NTLM and also trying to get them to get down from NTLM
to basic auth. If I have code related problems - whom should I talk to?
About my employer complaing about me using lynx. No way! I don't know what
the image outside is of the envoironment is - but it is pretty open and no
one forces me to use any particular software. I love lynx - it is fast and
gets the job done. I actually work in IE Unix project and use a GUI browser
when I need to and a text based one when I need to. For writing automated
programs - lynx is really cool - works well with perl (like wget and all
that).
Keep up the cool work!
-- Kaushik
-----Original Message-----
From: David Woolley [mailto:address@hidden
Sent: Wednesday, September 16, 1998 12:13 AM
To: address@hidden
Cc: Kaushik Pushpavanam
Subject: Re: lynx-dev NTLM authentication question
> Does lynx support NTLM (NT Lan Manager) Authentication? I
love lynx and use
> it quite a bit and it would be cool if lynx did support NTLM
authentication.
No. NTLM is a proprietary protocol from Microsoft, although there are
freeware implementations of the same cryptographic procedures
in the SAMBA
package. I don't know if there is any public documentation of
the protocol
as used over HTTP. Encryption used for authentication is
exportable from
the USA and I don't believe there are patent royalty issues in
this area,
but you should not take my word for that.
NTLM should only be a problem on intranets or for local users calling in
over the internet. The server can be configured to support basic
authentication and except through ignorance, or a belief that no-one
would use anything except current generation Microsoft software++, this
should be done for any pages made available to the public. (Running
basic authentication over SSL is more portable and probably more
secure, although you need to refer to the Lynx web site for the issues
on SSL and Lynx. Running SSL authentication for both client and server
is even better, but has administrative problems - I don't think any
Lynx SSL solutions support this.)
Because of its essential limitation to closed systems, there is probably
not much demand for the feature from the people likely to implement it;
how are your C programming skills?
As I remember it, the cryptographic side of the protocol is
that the user's
password is scrambled with one algorithm then combined with a
random number
sent from the server and scrambled again with another algorithm before
being transmitted. The server side only stores the result of the first
scrambling. Basic authentication needs clear text to be
transmitted (but
this is reversibly encrypted on an SSL connection). Simple challenge
response systems require clear text to be stored. The claim for the NT
system is that clear text is neither stored nor transmitted. However,
for a slightly modified client, the scrambled password is just as good
as the original, even though you can't discover the original, so it is
not really that much more secure against compromises of the
password file
on the server.
++ Just seen your email address - yes your employer probably doesn't
expect you to use anything but current generation Microsoft software!