[Typo3-dev] S: Sponsoring Windows authentification in TYPO3
Robert Fink
robert.fink at gmx.net
Tue Aug 31 10:39:34 CEST 2004
Hi!
>> What do mean by "makes the NTLM auth with the client"? The webserver
>> does authentication against the browser (client)? Duh?
> sorry, sound strange. In fact the extension sends the browser some headers
> wich forces the browser to send back all needed information. (Un)fortunatly
> the the password is crypted (NT /LM) and i haven't figured out how to
> decrypt ;-). So today the extension just gets the windows logged in username
> and checks if it exists in the fe_users.
> There are several options to make an auth with the password as I mention in
> one of the last postings
So this extension does _not_ provide _any_ authentification.
NTLM and/or Kerberos authentification must use the authentification server
(ADS for example).
Image this: The network Bert user uses his personal network sniffer to catch
the "authentification" packet sent by Annelores browser. He can obviously
easily pretend to be any trusted user he wants to be. If Bert is intelligent
he even doesn't have to catch Annelores packet because he knows how to create
those encrypted packets.
robert.
More information about the TYPO3-dev
mailing list