Re: NTLMSSP and Squid from Andrew Bartlett on 2003-05-11 (squid-dev)

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: 11 May 2003 21:09:13 +1000

On Sun, 2003-05-11 at 17:56, Henrik Nordstrom wrote:
> On 11 May 2003, Andrew Bartlett wrote:
>
> > > Overlapping requests solves the resource problem of stateful helpers.
> >
> > There is already a proposal to add a 'connection number' state system
> > into Samba's ntlm_auth. Ie, if the stdio line starts with an integer,
> > then that is the context to be looked up inside ntlm_auth's internal
> > list of outstanding challenges.
>
> This is what is referred to as "overlapping requests" in this
> discussion, so we are in sync here.

Great!

> > > For security reasons it is important the challenges are unique on each
> > > request, and if possible it should also be verified that the server
> > > choosen challenge does not produce unsuitable hashing material for
> > > NTLM/LM but this is not by far as important.
> >
> > There is a performance issue here - challenge re-use can give
> > significant performance gains. However, recent advances in how winbind
> > operates in Samba has allowed the DC communication part to be reduced to
> > just 2 packets.
> >
> > Challenge re-use can be done safely - we just need to ensure that the
> > challenge is only sent to a 'compatible' client. This should be a
> > client with the same IP, and who sent the same negotiate packet
> > (compared base64 encoded inside squid).
>
> I would prefer to do such challenge reuses in the helper to start with.

Yes, I think this is a better idea. The helpers know if it can (Samba's
ntlm_auth via winbind) or can't (the SSPI helper on WinNT) support this,
so it's in the best position to deal with this.

> And as you note the value of challenge reuses when supporting NTLMv2 is
> nil due to the permutation of the response by the client challenge.
>
> There is also a replay attack issue if challenge reuses is enabled.

Yes - I screamed when I first heard of the idea :-)

Andrew,

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

application/pgp-signature attachment: This is a digitally signed message part

Received on Sun May 11 2003 - 05:09:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:54 MST