RE: Challenge in NTLM authenticator from Guido Serassio on 2002-04-22 (squid-dev)

From: Guido Serassio <serassio@dont-contact.us>
Date: Mon, 22 Apr 2002 22:32:04 +0200

Hi to all,

Il 13.30 22/04/2002 Robert Collins ha scritto:

> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > Sent: Monday, April 22, 2002 9:09 PM
> > To: Robert Collins; Chemolli Francesco (USI); Guido Serassio
> > Cc: squid-dev@squid-cache.org
> > Subject: Re: Challenge in NTLM authenticator
> >
> >
> > On Monday 22 April 2002 10:28, Robert Collins wrote:
> >
> > > But squid may not be running on an NT Server. It will be
> > running on an
> > > NT platform sure, but that doesn't imply Server.
> >
> > Same thing.
> >
> > > It's targeted at folk writing *both* ends of the
> > application. We need
> > > to interoperate with MS I.E. and have no control over the
> > client. So
> > > I'm not at all convinced that the SSPI is appropriate for anytihng
> > > other than challenge validation.
> >
> > So your are saying Microsoft NTLM SSP interface is not suitable for
> > generating and verifying Microsoft NTLMSSP credential exchanges?
> >
> > Note: The packet format of SSPI when using the NTLM SSP is NTLMSSP.
>
>I'm saying that the NTLM SSP -happens- to be the on the wire format. MS
>have no reason to keep it that way, and that we are better off keeping
>the two level abstraction we have, whilst still leveraging the SSPI to
>allow user authentication.
>
>Rob

My question about Challenge on NTLM authenticator comes from the comparison
of fake_auth and ntlm_auth:

The first generate its challenge with rand(), the second from the SMB
connection Encrypt Key.

So my doubt was: "A rand() generated challenge it's adeguate for a native
NT NTLM authenticator ?"
Reading all Your response, the answer seem to be "Yes".

At this time I have a working native NT NTLM authenticator SSPI based, It
runs on a Windows 2000 Professional system member of a NT 4 Domain.
Now I have still some IPC related program causing the hang of the Squid
NTLM code, but I think that are Windows port related problems and I'm
working on it.

Looking in article Q264921 from Microsoft KB, i can see something of future
works on Squid Browser Authentication: Digest and Kerberos, but now NTLM is
a good starting point.

Regards

Guido

-
=======================================================
Serassio Guido
Via Albenga, 11/4 10134 - Torino - ITALY
E-mail: guido.serassio@serassio.it
WWW: http://www.serassio.it
Received on Mon Apr 22 2002 - 14:32:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:18 MST