On 31 May 2006, at 0:40, Daniel Stenberg wrote:
> Here's a patch written by Mikael Sennerholm, that adds NTLM2
> negotiation to the NTLM code for libcurl.

Great, I'll try in our environment as soon as possible. As you know
our byzantine domain structure triggers wonderful bugs :)

> While it can be improved to produce a better challange,

Well, I think it is necessary: without it the doors are wide open for
a dictionary attack and you use NTLM2 exactly to gain more strength
against those. I think openssl can access the system dependent random
number generator but certainly I don't know the details. Moreover it
just seems there is a trend in not making curl depend on openssl.

> I think it would be cool to get some feedback from some of you who
> actually use NTLM (or even NTLM2) about it.

Uhm, I think you are confusing NTLMv2 with NTLM2: at system-
configuration level you cannot chose to use NTLM2 or not. Instead, if
client and server will negotiate and use it on their own.

Microsoft docs state that any server version of windows since and
including NT service patck 4 does support NTLM2 and thus I think that
any reasonable server can be used to test the patch, of course as far
it is configured to use the dreaded "windows integrated authentication".
Received on 2006-05-31