Re: NTLM and proxying from Robert Collins on 2001-04-13 (squid-dev)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Fri, 13 Apr 2001 18:26:01 +1000

----- Original Message -----
From: "Chemolli Francesco (USI)" <ChemolliF@GruppoCredit.it>
To: "'Henrik Nordstrom'" <hno@hem.passagen.se>
Cc: <squid-dev@squid-cache.org>
Sent: Friday, April 13, 2001 6:14 PM
Subject: RE: NTLM and proxying

> > Chemolli Francesco (USI) wrote:
> > >
> > > > Since we know that we cannot proxy NTLM WWW authentication,
> > > > shouldn't we
> > > > filter it out from replies?
> > >
> > > I don't know. I think I'd prefer to manage it sometime in
> > the future,
> > > and it can be done (only) by "pinning" a downstream (aka client)
> > > connection to an upstream (aka server) connection.
> >
> > Sure it can be done, but until then?
>
>
> We could strip the Authenticate: NTLM from the reply.
> But if there is no alternate authentication scheme offered
> (as can be the case with braindamaged IIS) we need to offer an
> ad-hoc error page, otherwise we'd have broken the auth protocol.
> If the pinning was possible, we could even act as a basic-to-NTLM
> bridge for such cases (there was a python app announced of
> freshmeat today that does exactly this). Or maybe we have some
> ways to do this even now?

We don't need to replace the page: IIS includes a full text description
of the need to authenticate. That page will be shown instead. And we can
hardly break NTLM can we? We'd need to fix it first :].

> basic-to-NTLM bridge means:
>
> 1) we see a server reply with Authenticate: NTLM scheme and no
> alternate auth methods offered.
> 2) we strip that out, and replace that with a Basic challenge
> 3) user supplies us the username, domain and password
> 4) we complete the NTLM negotiation with the server
> 5) we handle the client-server association as authenticated
> 6) continue as usual, stripping away Authenticate: headers
> from client's requests (with NTLM the once the _connection_ is
> authenticated no furhter auth takes place)
>
> Ideas? Comments?

Whoa. Bad karma security wise - Unless we have some way to pin the
upstream request to the downstream username. Personally, I'd rather fail
immediately, and hasten the demise of NTLM only secured web servers.
After all, if the site hosters want security, they can run NTLM over SSL
very easily.

Rob

> --
> /kinkie
>
Received on Fri Apr 13 2001 - 02:26:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:45 MST