Tiny patch concerning SPNEGO and RFC4178
Andrew Bartlett
abartlet at samba.org
Fri Dec 3 15:40:26 MST 2010
On Fri, 2010-12-03 at 14:10 -0500, Goldberg, Neil R. wrote:
> The attached patch against the 3.5.x series changes the way smbd hints the client during the negotiation phase with a configuration flag.
The problem I have with this patch is that the previous behaviour was
against the relevant RFC, but we followed the Microsoft behaviour.
Even more of a problem is that there are clients, including our own,
which used this value, as it does present opportunities for
man-in-the-middle attacks.
Now that Microsoft has moved to follow the updated RFC in this area, I
strongly prefer that we continue to follow suit. This particular
feature (sending a target principal) should never have been implemented,
and it should not be revived.
We also need to stop our client tools and libraries using these values,
but that's a separate matter.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101204/2e5b5f7d/attachment.pgp>
More information about the samba-technical
mailing list