[Typo3-dev] S: Sponsoring Windows authentification in TYPO3

Peter Russ peter.russ at 4dfx.de
Tue Aug 31 11:11:13 CEST 2004


But what's about Adam, the smart developer, programming the application, 
checking each time if the requesting ip is similar to the initiating?
So Bert might masquerade but would never gets an answer.

Regs Peter.


Robert Fink wrote:
> Hi!
> 
> 
>>>What do mean by "makes the NTLM auth with the client"? The webserver
>>>does authentication against the browser (client)? Duh?
>>
>>sorry, sound strange. In fact the extension sends the browser some headers
>>wich forces the browser to send back all needed information. (Un)fortunatly
>>the the password is crypted (NT /LM) and i haven't figured out how to
>>decrypt ;-). So today the extension just gets the windows logged in username
>>and checks if it exists in the fe_users.
>>There are several options to make an auth with the password as I mention in
>>one of the last postings
> 
> 
> So this extension does _not_ provide _any_ authentification.
> NTLM and/or Kerberos authentification must use the authentification server 
> (ADS for example).
> 
> Image this: The network Bert user uses his personal network sniffer to catch 
> the "authentification" packet sent by Annelores browser. He can obviously 
> easily pretend to be any trusted user he wants to be. If Bert is intelligent 
> he even doesn't have to catch Annelores packet because he knows how to create 
> those encrypted packets.
> 
>   robert.
> 




More information about the TYPO3-dev mailing list