RE: Squid NTLM authentication

Notice: I am Cc-ing this message to the squid-users mailing list,
since it contains informations that might be useful to others and
to the ongoing development of squid, I hope you don't mind.

> First of all, thanks for your prompt reply.

I do what I can :-)

> A)If I apply the patch then squid will obtain the username correctly?

Yes. At least, it does in my case. I am about to go live with that one.

> B) The authenticator is written in C. I am going to assume
> that the user
> is logged in to the PDC. Are there any special considerations for the
> authenticator? I mean, the only thing it does right now is to

I'm using the same trick. Rationale: "since the user is logged in a domain,
s/he must have already passed an authentication challenge against the
domain.
I'll accept hir credentials at face value, if they're coming through
NTLM".

> read a line
> through std input assuming that the line contains username/password
> separated by a space. Is that OK?

No. The NTLM authentication-line is odd.
This micro-patch (you have to apply it by hand in authenticate.c,
around line 125) changes that format to conform to what I used for
the multi-domain NTLM authenticator.

+#if 0
        snprintf(buf, 8192, "%s %s %s %s %s %s\n",
            auth_user->user, auth_user->domain,
            auth_user->workstation, NTLM_STATIC_CHALLENGE,
            auth_user->lmresponse, auth_user->ntresponse);
+#else
+ /* use standard-format for multi-domain */
+ snprintf(buf,8192,"%s\%s %s\n",
+ auth_user->domain, auth_user->user, auth_user->passwd);
+#endif

Also, around line 373 of authenticate.c, change
        buf++ = '.';
to
        buf++ = '\\';

Notice that, even with this patch, the password sent to the
authenticator is _NOT_ the user's, but the string defined as
NTLM_STATIC_CHALLENGE in authenticate.c, conventionally "deadbeef".

So your trusting authenticator will have to be a modified
multi-domain authenticator or a modified single-domain authenticator
(since single-domain authenticators don't understand the domain\username
convention), so that its main loop will look like this (pseudocode):

while ( line = read_line) {
  (domain,username,password) = decode_line(line)
  if (password == "deadbeef") {
    # NT challenge. Grant.
    write "OK"
    continue
  }
  #basic authentication. Untrusted.
  do_basic_authentication(domain,username,password)
}

Of course, this has the problem that ANYBODY using basic authentication
supplying any domain\username combination, with "deadbeef" as password,
will be let through. You can change the authenticator to be a tad
more anal, but this is basically security-through-obscurity.
There might be a better way, non-transparently extending the authenticator
protocol. But this is about as hackish as I dare go for now.
Besides, it works, and in a 99%-microsoft environment such as the one
I am in, it should be good enough.

> C) How does squid-ntlm return the username (format I mean).

domain\username deadbeef
(deadbeef is literal), if you apply the above patch.
domain.username - - deadbeef - -
if you don't.

> In what way is
> this going to change?

check squid-dev.

A side-note about the username\domain convention.
I chose it not because I particularly like it. In fact, I hate it.
It's just that it best mimics microsoft's own brain-damaged
conventions. MS-proxy, when using basic authentication, wants
to have that syntax. Squid will accept it at face value, and
will consider the "domain\username" string to simply be an
username (which is a correct take of the problem) and just
hand it to the authenticator as-is.
The disadvantage is that the backslash will appear
URLencoded in the logfiles, but I consider that a minor
setback. If you don't like it, change it or even better, dump
microsoft software entirely, you'll live happier. [1]

[1] Yes, I am a tad bitter today, yesterday I had to work late
because the brain-dead microsoft clustering system can't
work with any kind of redundancy.

>
> > > Hi,
> > > I 've just read your post at the users list and I would Like
> > > to ask you
> > > for some help in order to get this beast up and running.
> > > I' ve downloaded the source through CVS, run autoconf and
> autoheader,
> > > configure --enable-ntlm-authentication and finally make and make
> > > install.
> > > Do you know what I might be doing wrong since squid-ntlm
> > > doesn't obtain
> > > the usesname or at least doesn't log it anywhere. I 've
> >
> > There's a bug in the authentication procedure (fixed in the
> patch I sent
> > to the list) that causes the procedure to "lose" itself halfway
> > through the challenge. Apply the patch to solve this.
> >
> > > written a simple
> > > authentication module that the only thing it does is log the
> > > username to
> > > a file and return OK (for debugging purposes only). When I run it,
> > > squid-ntlm I mean, the browser seems to wait forever until it
> > > times out.
> >
> > If it's written in PERL, did you set $|=1?
> >
> > > Can you help me? If I get this to work, my company is willing
> > > to replace
> > > their 14 MS Proxy box with Linux-Squid/NTLM ones
> >
> > It's not possible yet, because squid is not yet able to retrieve
> > the user's password from the challenge.
> > True, we can assume that if an user logged in, he _is_ logged
> > in since the PDC allowed him to log in, but still..
> > Also, the format sent to the authenticator is somewhat strange,
> > and I mean to replace it ASAP.
> >
> > /kinkie
>
Received on Tue Jul 18 2000 - 01:53:44 MDT