RE: NTLM authentication, recent logs for Robert Collins

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@hem.passagen.se]
> Sent: Friday, 27 October 2000 11:31 AM
> To: Dr. Michael Weller
> Cc: Chemolli Francesco (USI); squid-dev@squid-cache.org
> Subject: Re: NTLM authentication, recent logs for Robert Collins
>
>
> Could it be a reace where Squid is renegotiating the challenge in the
> middle of a connetion? AFAIKT this cannot be done in MS-NTLM..

No. In cannot be done, but squid ALWAYS requests the challenge from the
helper, and kinkie checks that the helper is *waiting* for a negotiate
request (the beginning of the handshake) before renegotiating. I've just
bought DCE/RPC over SMB which should help the development out a little
:-]

The logs show the correct behaviour from squid to the helper and back
again so there is nothing wrong in the squid binary itself.

>
> --
> Henrik Nordstrom
> Squid Hacker
>
>
> Dr. Michael Weller wrote:
> >
> > Ok, first:
> >
> > as I said with only 1 authenticator all was reported to be fine.
> > I saw some (few) failures in the log though (same type as before).
> >
> > This time up to 13 requests in a row succeeded but
> sometimes less. Again,
> > never the first auth request after a connect failed. After
> starting squid,
> > no error occured for 60 minutes, then one error every 40
> minutes (+/- 2
> > minute variation).. This doesn't look too random. Ok,
> admitted, I had
> > raised the challenge time period, I'll now lower it to the
> default (even
> > below, I'll take 15 minutes). I'll see in my other logs if
> this could
> > allow for the errors in my previous 10 client config.
> However, i got the
> > errors in the default config. this was my first try. I also cannot
> > remember ever having seen a challenge refresh in the logs
> though. Maybe
> > this is broken?
> >
> > In the meantime, I made the attached hack to the
> ntlm_authenticator to
> > force a new challenge/connection every time. From a
> cryptographic approach
> > (my, a mathematicians, view) I think it is very odd to use the same
> > challenge for many users. From the logs it seems a
> challenge needs <1s and
> > should be ok IMHO (ntlm auth seems slow at the beginning
> anyway). Would be
> > nicer to provide the challenge befor waiting for a new
> request though (too
> > difficult for me now). Also I fear it could expire on an idle squid.
> >
> > Works right now, but I'll have it tested under stress tomorrow.

See my previous post for info on the risks of reusing the challenge.
Regarding handling several requests concurrently - that is done in squid
in the auth_rewrite branch (which is split from ntlm). There is a change
kinkie and I need to make to the helper protocol to allow squid to
signal when it has no outstanding requests for a given helper, but at
the moment that will not affect you.

> >
> > Michael.
> > --
> >
> > Michael Weller: eowmob@exp-math.uni-essen.de,
> eowmob@ms.exp-math.uni-essen.de,
> > or even mat42b@spi.power.uni-essen.de. If you encounter an
> eowmob account on
> > any machine in the net, it's very likely it's me.
> >
> > --
> > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>
Received on Thu Oct 26 2000 - 19:32:27 MDT