On 06/03/11 00:46, Markus Moeller wrote:
>
> "Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
> news:4D718401.6050404_at_treenet.co.nz...
>> On 05/03/11 05:41, Markus Moeller wrote:
>>> Do you have an idea how such a wrapper would work ?
>>>
>>> The issue I see is that the wrapper helper must do the same process
>>> management as squid. Which I think is quite some duplication.
>>>
>>> Markus
>>>
>>
>> Squid already does the tri-state response handling similarly for
>> Negoatite and NTLM auth schemes. The blob decoding and response state
>> is entirely up to the helper.
>>
>> I think the wrapper just needs to decode the blob and do either NTLM
>> challenge+validate or Kerberos validate on the result depending on
>> what detail it gets.
>>
>
> So squid keeps state to which helper instance the NTLM challenge was
> send too ?
Yes, and whether there is a challenge pending blocking it from other uses.
>
>> A flag internally to determine that an NTLM validate is the next state
>> after challenge will be needed to avoid sending NTLM challenge then
>> validating the follow-up with Kerberos.
>>
>
> I really don't want to program all of that. I just would like to hand it
> over to the existing squid_kerb_auth or ntlm_auth helper after
> identification of the blob beeing NTLM or not. But if I hand the token
> over squid_kerb_auth or ntlm_auth will get into an endless loop and
> won't return to my wrapper.
>
> Does that make sense ?
Nope. Sorry. Is the wrapper calling itself recursively when the first
sub-lookup results in failure?
The only loop I can see is when Negotiate/NTLM challenge-response
arrives. If the wrapper pases it to Kerberos it may have bad
consequences, though I'm not certain. If Kerberos can validate the NTLM
challenge responses safely that simplifies things a lot.
As for programming, we have a libntlmauth library bundled with Squid
which has NTLM decoder functions and "struct ntlmhdr" definitions in it.
Code would be something like:
flag = unset
while(fgets(input)) {
base64decode(input, output);
validation_reply = ntlm_validate_packet((struct ntlmhdr*)output,
<type 3 packet>);
if (validation_reply && flag != doing_ntlm) {
... get result form kerberos ...
} else {
flag = unset
... get result or challenge from NTLM ...
if result is challenge
flag = doing_ntlm
}
... pass result to squid
}
>
>> "Simples", as the rat said to the piper.
>>
>> Amos
>>
>>
>>>> -----Messaggio originale-----
>>>> Da: Henrik Nordström
>>>>
>>>> ons 2010-04-07 klockan 20:27 +0100 skrev Markus Moeller:
>>>>
>>>> > Would it make sense to define in squid two new configuration
>>>> options > to
>>>> > control Negotiate authentication ? I am thinking of adding
>>>> >
>>>> > Negotiate-NTLM
>>>> >
>>>> > and
>>>> >
>>>> > Negotiate-Kerberos
>>>>
>>>> I would prefer a wrapper helper doing this selection.
>>>>
>>>> Regards
>>>> Henrik
>>>
>>
>> Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5Received on Sun Mar 06 2011 - 11:38:24 MST
This archive was generated by hypermail 2.2.0 : Sun Mar 06 2011 - 12:00:03 MST