Re: [PATCH] Strip Windows domain in PAM basic authenticator from Amos Jeffries on 2013-03-05 (squid-dev)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 06 Mar 2013 12:19:21 +1300

On 6/03/2013 7:17 a.m., Steve Hill wrote:
>
> This might be slightly controversial... :)

Very slightly. Mostly on the grounds that NTLM is an officially
deprecated protocol - adding improved support for it it counter
productive to the goals of eradicating it from the Internet.

On the security front, altering the helper is okay. It is the process
responsible for all manipulation of the credentials received. As long as
the user:password token received in HTTP by Squid is passed to it
without manipulation there is nothing to worry about in respects to Squid.

> When accessing Squid from a Windows machine that is not logged onto a
> domain, Internet Explorer presents the user with a proxy
> authentication dialogue box for NTLM authentication, which requires
> the user name to be entered as DOMAIN\user. Other software may
> instead choose to use basic auth (handled by the basic_pam_auth
> authenticator) and pops up a similar authentication box which requires
> the bare user name (no "DOMAIN\").
>
> It is often not clear to the user that there is a difference between
> these popup boxes, so they may not know whether or not to include the
> windows domain. The attached patch modifies basic_pam_auth so that
> the user can enter their user name as a bare name, "DOMAIN\user" or
> "user_at_domain" and strips the domain part off so that the bare user
> name can be authenticated against PAM.
>
> This should simplify things for the users, since they can just be told
> to enter their details in the "DOMAIN\user" format everywhere and it
> should just work. Obviously not much use in a multi-domain setup, but
> presumably one wouldn't be authenticating against PAM in such a
> situation anyway (?).

As submitted the patch will completely break on all installations which
allow / or @ characters in usernames. I am aware that there are
definitely some networks allowing those - whether they use PAM is unknown.

This will need at least a helper command line option to enable the
stripping. I suggest the -r option as previously used in
negotiate_kerberos_auth.
http://www.squid-cache.org/Versions/v3/3.2/manuals/negotiate_kerberos_auth.html

Amos
Received on Tue Mar 05 2013 - 23:19:32 MST

This archive was generated by hypermail 2.2.0 : Wed Mar 06 2013 - 12:00:05 MST