On Saturday 10 May 2003 13.26, Robert Collins wrote:
> The stateful helper logic was only ever a workaround for helpers
> that *had* to maintain state across requests. We can keep the logic
> for reuse, but it won't be needed once we switch to passing
> everything through with no challenge reuses ever, and the negotiate
> is given to the helper.
Keeping state WILL be required somewhere.
You cannot process an AUTHENTICATE packet without knowing the
information used when generating the CHALLENGE packet.
> Yes - we store that in the ntlm request auth structure that we
> associate with the TCP connection. (We do that today). We then send
> that back to the helper along with the response.
And I strongly maintain this should not be of a concern to Squid.
Squid should not even attempt to decode or understand NTLMSSP
packets. All Squid should worry about is the connections to the
client and helper.
> IIRC: Long ago (about 6 years ?) there where chosen challenge
> attacks against the NT 4 SAM. But: yes, the usual case is for the
> challenger to choose deliberately weak challenges. So, my memory
> may be faulty.
Only the challenger can choose the challenge. This is by the nature of
challenge-response.
Ifthe challenger does a poor job in selecting challenges then there is
many opportunities to attack.
Regards
Henrik
Received on Sat May 10 2003 - 05:48:35 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:53 MST