Re: NTLM authentication

Robert Collins wrote:
>
> I thought I'd send out a general update on this (for anyone who cares :-])
> so that the squid gurus out there can tell us if we've made any horrible
> mistakes.

You seem to be farily on track.

> Thanks for your comments Henrik (I presume your back on deck now?)

I am back from my vacation yes, and have catched up on most interesting
email (directly addressed + squid-dev). I won't be able to catch up on
squid-users or other heavy traffic lists for some time however...

> So with the challenge generated by the NT domain controller, squid _could_
> cache the challenge and the expected response for a 'user', but that will
> cause any user that uses a machine before it times out to get a
> username/password box, which NTLM is meant to avoid. On the up side no
> external authentication is needed on the persistent connection once done.

The challenge should of course be tied to the specific WORKSTATION,USER
touple, not only machine.

Remeber the protocol:

1. Proxy advertises it's capabilities
2. The client sends it's identification information
3. The server (with help from domain controller) responds with a
password challenge
4. The client responds with a password response
5. The server verifies (via the domain controller) the password
response.

As far as I can tell this can be replayed just fine without any of the
issues you describpbe. There is however an issue when a user changes his
password.

> Henrik, the alterations in the NTLM branch I was talking about, remove the
> pump module and change the request flow. We've done our coding now though
> so, I hope the original NTLM branch was ok!

Ok, then we are speaking about the same think. This change is a cleanup
of how Squid handles request with request entities. The old design is
farily broken on several ways, and was basically impossible to tweak to
do it correctly in a intelligble way. Some of the old-timers might
remember my sometimes quite lengthy objections to the "old" (current)
request processing loop and the pump module..

> We've leaving the authentication type differentiated proxy_auth code for
> later, once the core is bedded down.

Ok.

> That's about it really.. look for working NTLM authentication soon!

Great!

> Oh, regarding the NTLM and Basic header order, I've lookup it up - RFC
> 2617 - and MS is breaking spec (again).

Funny isn't it ;-)

> I'm going to post something to them sometime soon and see waht they say.

I think they are abandoning the NTLM authentication sheme in 2000 and
replacing it with something kerberos based. Haven't actually bothered to
investigate the details thought, but they do know that NTLM HTTP
authentication is fundamentally flawed.

/Henrik
Received on Mon Jul 31 2000 - 18:48:35 MDT