[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#810285: O: apache-mod-auth-ntlm-winbind

Package: wnpp
Severity: normal

I originally packaged this module as it was being used by one of my
clients in a project, but they've switched to using
libapache2-mod-auth-kerb instead, so I no longer have access to an
environment where I can test the package, which means I can't usefully
maintain it.

I've been wondering whether to request removal instead of orphaning,
as NTLM is not very secure by modern standards, as the package
description warns:

 If you're considering using this module, you should be aware that NTLM
 isn't regarded as very secure by modern standards - even Microsoft no
 longer recommends its use - and where possible, you probably want to
 use Kerberos with negotiate auth over https instead (see Debian package

AIUI negotiate auth over http (rather than https) suffers from
connection hijack issues, but I don't know how it compares in overall
security terms with NTLM if you aren't able to use https.  So I'm going
to just orphan for now.


Attachment: signature.asc
Description: PGP signature

Reply to: