Re: Squid NTLMSSP helpers from Henrik Nordstrom on 2003-05-11 (squid-dev)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 11 May 2003 13:26:32 +0200 (CEST)

On 11 May 2003, Andrew Bartlett wrote:

> The way I figure it is that it's easier for Samba to track a relatively
> simple, documented, stdio interface, than it would be for Squid to track
> Samba's guts :-).

It is, and until we don't need to track Samba's guts any more the helper
belongs in Samba :-)

> I figure if you can manage to give me a heads-up before you change the
> squid->helper protocol, we should be able to keep current Samba releases
> working with current Squid releases without particular pain.

Yes, I believe so.

The first change we are going to do is the overlapping requests change,
allowing the helper to maintain multiple challenges. This will use the
exact same protocol as today but prefixed with an integer. This is
scheduled to happen within the next few weeks (before the end of the
month).

Second (for Squid-3.1), the protocol should be extended with

a) Supplying the NEGOTIATE packet (we might do this in 3.0 if challenge
reuses is disabled.. thinking of it we probably should)

b) Having the helper return the user credentials on successful
authentication, saving Squid from looking into the guts of the NTLMSSP
packets.

And as part of this the protocol may be restructured slightly to better
reflect the fact that Squid does no longer know the details of
NTLMSSP blobs and only tracks the connection state. I.e. something like:

1. New NTLMSSP session request, preferably including a NEGOTIATE packet

2. NTLMSSP exchanges, Squid waiting for helper to indicate
success/failure.

3. Helper returns a terminal sucess/failure status, including ASCII user
credentials where applicable and a suitable error message on failures.

4. Squid may at any point request to have the NTLMSSP session aborted,
usually due to the client aborting his connection.

Details of such protocol not yet specified. If you have a suggestion this
may well be selected.

Note: It should be possible to use the same Squid helper protocol for
SPNEGO authentication, which in terms of HTTP is very similar to NTLM(SSP)
but may involve additional exchanges.

Regards
Henrik
Received on Sun May 11 2003 - 06:26:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:54 MST