I'm going to try to summarize the discussion thus far.
NTLM auth is horribly broken, however:
1) It's currently the only auth scheme you can get SSO with
2) It does not send the password in the clear over the wire
Therefore, if you are already running a Windows domain on your
network, you might as well use NTLM auth with Squid.
However, NTLM is still horribly broken. Therefore, a properly
functioning auth scheme needs to be implemented by OS, directory
service, and browser vendors to replace NTLM.
The best candidates for this are:
1) Kerberos
2) md5-sess
Kerberos has the added benefit of already being part of both
Unix and Windows (2000 and above) - all that is missing is
browser support.
If OS and browser vendors adopted such a solution, it would readily
be added to Squid.
Henrik and Robert, thank you for a very enlightening discussion, and
I hope my summary here effectively hit the main points. However, I
(usually) know enough to know when I'm out of my depth, so I'm going
to exit this thread now, and leave further discussion to the experts.
Adam
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001Received on Fri Jul 11 2003 - 08:06:38 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:56 MST