RE: NTLM and proxying

> Chemolli Francesco (USI) wrote:
>
> > If the pinning was possible, we could even act as a basic-to-NTLM
> > bridge for such cases (there was a python app announced of
> > freshmeat today that does exactly this). Or maybe we have some
> > ways to do this even now?
>
> The bridge/gateway idea sounds interesting.. would allow non-NTLM
> browsers to be used to connect to NTLM-only services.

That is the purpose in fact.

> > basic-to-NTLM bridge means:
> >
> > 1) we see a server reply with Authenticate: NTLM scheme and no
> > alternate auth methods offered.
> > 2) we strip that out, and replace that with a Basic challenge
>
> Hmm.. if you have pinning then you could just as well implement NTLM
> proxying. The more interesting approach would then be to add a Basic
> challenge, and optionally (per configuration) filter out NTLM.

Sounds good. Also because the client doesn't negotiate it's auth
capabilities, it just acts upon the challenge received. Squid has
no way to know (save by matching the user-agent header against a
lengthy capabilities list) whether the client will support NTLM.
But _adding_ a basic auth header would just solve the problem :-)

> Having NTLM proxied outside the LAN is a security risk, as a carefully
> crafted NTLM challenge can reveal much details about the NTLM hash of
> the user, so I imagine some networks would like to have NTLM proxying
> disabled in all cases even if the proxy is capable of handling it.

Sure. Enabling makes no sense for the ISP, but it has some benefits
in a corporate environment.

> Perhaps we should have configuration directive to enable/disable wich
> authentication methods are forwarded to the browsers, and
> gateways from
> Basic to NTLM and/or Digest where possible (and enabled).

Yes.

> I am a bit reluctant about having auth gatewaying/bridging enabled by
> default. Having Basic->NTLM/Digest gatewaying enabled might put the
> users at risk if they beleive that a "secure" login mechanism is used
> but in fact their login information is sent in plain text between the
> browser and proxy.

Au contraire mon amis [1], it makes at least some sense in some
environments.
1) Basic auth is better than no auth.
2) A corporate network is more trustworty than the Internet (not trusted
but still better than getting a spanking)
3) if you use NTLM you're already busted so why bother?
4) I don't agree. In case of basic authentication, the user _will_ get a
popup, and so will be at least alerted of the issue. And since
NTLM and Digest _Are_ more robust than basic (not that it takes much)
this is just a good thing.

[1] I don't know french. Does it show?

-- 
	/kinkie