[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos support in standard services

To: sxw@dcs.ed.ac.uk
Subject: Re: Kerberos support in standard services
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 07 Jul 2005 20:34:04 +1000
Cc: Brian May <bam@snoopy.apana.org.au>, heimdal-discuss@sics.se
In-Reply-To: <Pine.LNX.4.44.0507070107040.31647-100000@hadrian.inf.ed.ac.uk>
References: <Pine.LNX.4.44.0507070107040.31647-100000@hadrian.inf.ed.ac.uk>
Sender: owner-heimdal-discuss@sics.se

On Thu, 2005-07-07 at 01:16 +0100, sxw@dcs.ed.ac.uk wrote:

> > Also SASL would be better... What is the current
> > status of this module. Does it still exist?
> 
> I don't think you could do general-purpose SASL over HTTP, as it requires 
> multiple 'rounds' from the underlying transport. HTTP, being stateless, 
> just gives you one shot.

The hack that Microsoft did for this was to tie the authentication to
the TCP socket, and require that it be kept open.  They used this for
NTLMSSP, as well as for SPNEGO (which may choose NTLMSSP or Kerberos).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part

References:
- Re: Kerberos support in standard services
  - From: sxw@dcs.ed.ac.uk

Prev by Date: Re: Kerberos support in standard services
Next by Date: Re: Kerberos support in standard services
Prev by thread: Re: Kerberos support in standard services
Next by thread: Re: Kerberos support in standard services
Index(es):
- Date
- Thread