NE_AUTH_NEGOTIATE only for https?
Joe Orton
joe at manyfish.co.uk
Fri Mar 13 17:44:29 EDT 2009
On Fri, Mar 13, 2009 at 02:28:44PM +0100, Kai Sommerfeld wrote:
> Can somebody explain the reasons for adding NEGOTIATE only for https
> (and proxy auth), but not http?
If you use Negotiate without SSL, any MITM can assume the Kerberos
credentials after the initial GSSAPI exchange. I would disable it by
default for proxy auth too if there was any alternative, but there's not
(you can't use SSL to the proxy).
You can override the default policy by using ne_add_*_auth() instead of
ne_set_*_auth.
Regards, Joe
More information about the neon
mailing list