Needing state in NTLMSSP

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: 16 Jan 2003 14:42:01 +1100

I've been working on getting Samba's NTLMSSP functionality exported to
the world, with the aim of producing a 'standard' implementation of
NTLMSSP that multiple projects (squid and apache) can call on.

This has gone quite well so far, and I've extracted the code into
libsmb/ntlmssp.c, and written almost all the extra code for 'ntlm_auth'
- the squid helper interface to this. See current Samba HEAD for my
progress so far.

However, squid makes all sorts of nasty little assumptions about how
NTLMSSP operates - in particular it attempts to make NTLMSSP almost
stateless. It most certainly is not... While most implementations
'cope' with the current code, I'm trying to get this done right. (And
therefore get NTLMv2 and Unicode working in particular).

My first problem is that Squid doesn't pass the 'negotiate' packet to
the helper at all! I'm currently testing a nasty little hack that will
pass this along, but we also need to look at how the helpers are
structured in general - we really do need one helper per client - say
key it on the IP (to allow limited challenge reuse) and the contents of
the negotiate packet.

With NTLMv2, and LMv2 the client introduces it's own 'client challenge',
so this caching goes aways pretty quickly anyway. And with Winbind
doing the auth end of the transaction, the expensive bit is now the
'verify', not getting the challenge in the first place.

I am worried about the effectively one-helper-per-client side of this -
it could be addressed by having the helper keep multiple states.
(Because we don't need to request the challenge, or keep a socket open,
it's relatively sane)

So, what do people think? It looks awfully like the 'v2' helper
protocol, but I really do think it's a worthwhile move forward.

Andrew Bartlett
 

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Received on Wed Jan 15 2003 - 20:38:38 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:06 MST