Re: Windows NTLM authenticator

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Mon, 08 Sep 2003 21:30:05 +0200

Hi Henrik,

At 11.39 08/09/2003, Henrik Nordstrom wrote:

>On Monday 08 September 2003 10.28, Serassio Guido wrote:
>
> > The helper currently don't allow the reuse of a challenge with a
> > sort of two state architecture:
>
>A challenge should only be reused if using synthetic challenges and
>the current client disconnects before sending the authenticate
>packet.
>
>When not using synthetic challenges the situation gets messier as then
>the challenge packet depends on the negotiate packet and it becomes
>almost impossible to reuse the challenge safely.
>
>Any other reuses of a challenge (i.e. two or more KK for the same TT)
>is bending the NTLMSSP protocol and is very likely to fail with any
>decent NTLMSSP implementation.
>
>Stupid NTLMSSP implementations such as our old helpers may accept
>multiple KK for the same challenge, but you can't rely on this for
>real NTLMSSP implemenations as the NTLMSSP does not expect a second
>AUTHENTICATE packet.

I think that some glue on challenge reuse between Squid and helpers is needed:

auth_param ntlm max_challenge_reuses
auth_param ntlm max_challenge_lifetime

are totally non sense with a real NTLMSSP helper.

>Now, I am not entirely sure how Windows NTLMSSP acts on failed
>authentication, i.e. if it directly returns a new challenge or if an
>error is returned.

Simply fails ...

> > if a KK is got with an already used challenge, a BH is generated.
>
>Good. It should.
>
> > It seems that in Squid there is a problem:
> > I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I
> > get a KK without a YR, the helper sends a BH to squid and Internet
> > Explorer pop-ups for authentication.
>
>Anything in cache.log?

Nothing.

>I think there is code to force challenge reuse if running low on
>helpers..

I'm using 2 helper with one single client, it should not be a "low" helper
environment.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Mon Sep 08 2003 - 13:31:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:40 MST