Re: [squid-users] generic kerberos support in 2.6?

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Thu, 21 Dec 2006 01:02:14 +0100

ons 2006-12-20 klockan 07:47 -0500 skrev Brian J. Murrell:

> Hrm. Firefox seems to disagree, at least in it's implementation. Squid
> sends "Negotiate" as the authentication mechanism and Firefox responds
> with Kerberos.

The Negotiate HTTP scheme is defined by Internet RFC4559 "SPNEGO-based
Kerberos and NTLM HTTP Authentication in Microsoft Windows", which
specifies Kerberos within GSS-API as applied by SPNEGO..

Quote:

   The "Negotiate" auth-scheme calls for the use of SPNEGO GSSAPI tokens
   that the specific mechanism type specifies.

Relevant RFCs:

RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft
Windows (Negotiate)

RFC4178 The Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism (SPNEGO)

RFC2743 Generic Security Service Application Program Interface Version
2, Update 1. (GSS-API)

Now I am not an expert on how this translates to wire format so I leave
it to you to read and consider if what your Firefox does is sufficient
to meet the specifications or not..

Regards
Henrik

Received on Wed Dec 20 2006 - 17:02:21 MST

This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST