On 11/1/2010 3:12 AM, LEVAI Daniel wrote:
I noticed these messages in my logs. It seems that the user checked the "encrypted password" in her outlook or something, and wants NTLM auth. I'm storing all the passwords as SSHA256, and when the user tries to auth, this happens:
Basically, if you the client doesn't send cleartext and uses a different encryption than the server, you must have the cleartext available on the server side so you can encrypt it for comparison when a user authenticates. Unless you want to use Microsoft's encryption or store cleartext passwords in your database, NTLM will not be an option for you. Cleartext tends to be a very bad idea, and most people who heavily use UNIX or Linux are fundamentally opposed to using something proprietary to Microsoft unless left with no other choice.
If they chose NTLM because they are concerned about security, nothing beats TLS and/or SSL with a certificate issued by a trusted authority.
Shawn