PATCH - improvement for Negotiate authentication

Dawit A. adawit at kde.org
Fri Sep 24 13:47:56 BST 2004


On Friday 24 September 2004 06:01, Waldo Bastian wrote:
> On Friday 24 September 2004 01:29, Dawit A. wrote:
> > On Thursday 23 September 2004 14:31, Karsten Künne wrote:
> > > Regarding HTTP authentication we should have all the bases covered now.
> > > A couple things still remain. First, should the order in which kio_http
> > > tries authentication methods be configurable? It's currently hardcoded
> > > with "NTLM" trumps "Negotiate" which is preferred over "Digest" which
> > > is preferred over "Basic". But bothering the user with that stuff might
> > > not be a good idea on the other hand because most users probably don't
> > > know what this is all about and the current order works well in almost
> > > all cases.
> >
> > IMHO nothing should trump "Digest" if multiple authentication schemes are
> > returned by the server. However, if a server sends "Negotiate" and we
> > support that mechanism, then we should negotiate with it and use whatever
> > it suggests. In the absence of "Negotiate" the order of preference should
> > IMHO be kept "Digest", "NTLM" and finally "Basic".
>
> Do I understand correctly that both NTLM and Negotiate allow passwordless
> authentication (Or does NTLM still require the user to enter a password)?
> If they are passwordless they should be preferred over Digest.

It depends entirely on implementation. For our case, i.e. stock KDE, the 
answer I think is NO. I say that simply because AFAIK we do not provide 
single sign-on service by default in our desktop. In Windows, you might/might 
not be prompted for password based on your browser's setup.[1] As such my 
previous statement was based on the fact that there is no signle sign-on 
service in KDE. In that case the strongest authentication scheme should be 
preferred. Digest is stronger than NTLM. [2] However, I am not sure if it 
should be picked over Negotiate. If the server responds


> In that case the remaining issue is whether NTLM or Negotiate should be
> preferred when both are offered. I guess this depends on which one tends to
> work better.

AFAIC we should prefer Negotiate over NTLM if we support it. 

[1] http://tinyurl.com/3wek7
[2] See http://www.innovation.ch/java/ntlm.html#resources

-- 
Regards,
Dawit A.
"Preach what you practice, practice what you preach"




More information about the kfm-devel mailing list