RE: [squid-users] Re: ntlm won't prompt

> SSO is -not- a property of NTLM. It's a property of the OS and the
> browser. It's fully possible to do SSO with basic (bad because of
> password leak issues) and Digest (quite easy, using MD5-sess).

As I acknowledged later in the message, it can be done with basic or
digest. However, only NTLM supports it currently, and then only if you're
running Windows desktops with a Samba/Windows domain server.

> The realm is specific to the proxy configuration - but within an
> enterprise it can be set yes. In fact Kerberos realms might be a good
> one to choose, if an organisation already has kerberos deployed.

Kerberos would be a good option, because it's fairly universal - UNIX
variants have supported it for years, and Windows started supporting it
with Win2k. You would then just need browser support.

> It's not even an OS issue. It's pretty straight forward: Pick a
> directory service. Extend it with a call like the above, syncronised
> with password changes. Then, add some glue to mozilla to use that call
> in preference to prompting the user.

Yes, it is really a directory service issue. But since most networks will
use the directory service that came with their OS, and the OS (not the
directory service) will likely handle database updates for password changes,
there will still likely be some OS issues.

>> What about wrapping basic auth in SSL?

> This is also possible, squid supports this, but no browsers do. Also, as
> the browser would get the password, it /does/ lead to password
> compromise risks that the digest approach doesn't.

With digest the browser prompts the user for the password, so it's currently
no more secure from the browser end than basic.

Adam
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001