Re: NTLMSSP and Squid

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 11 May 2003 09:56:14 +0200 (CEST)

On 11 May 2003, Andrew Bartlett wrote:

> > Overlapping requests solves the resource problem of stateful helpers.
>
> There is already a proposal to add a 'connection number' state system
> into Samba's ntlm_auth. Ie, if the stdio line starts with an integer,
> then that is the context to be looked up inside ntlm_auth's internal
> list of outstanding challenges.

This is what is referred to as "overlapping requests" in this
discussion, so we are in sync here.

> > For security reasons it is important the challenges are unique on each
> > request, and if possible it should also be verified that the server
> > choosen challenge does not produce unsuitable hashing material for
> > NTLM/LM but this is not by far as important.
>
> There is a performance issue here - challenge re-use can give
> significant performance gains. However, recent advances in how winbind
> operates in Samba has allowed the DC communication part to be reduced to
> just 2 packets.
>
> Challenge re-use can be done safely - we just need to ensure that the
> challenge is only sent to a 'compatible' client. This should be a
> client with the same IP, and who sent the same negotiate packet
> (compared base64 encoded inside squid).

I would prefer to do such challenge reuses in the helper to start with.
And as you note the value of challenge reuses when supporting NTLMv2 is
nil due to the permutation of the response by the client challenge.

There is also a replay attack issue if challenge reuses is enabled.

Regards
Henrik
Received on Sun May 11 2003 - 02:56:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:53 MST