Re: [SQU] Fw: NTLM authentication, recent logs for Robert Collins

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Fri, 27 Oct 2000 13:07:47 +0200 (MESZ)

On Fri, 27 Oct 2000, Robert Collins wrote:

> Getting a new challenge on *every request* provides the best security (given
> NTLM's capabilities :-]) but means that the challenge-authenticate cache
> will never receive a cache hit. Using the same challenge for a few minutes

Right, but that was not what I meant. Sorry, I probably should have made
myself clearer: Not a new challenge for every request. But instead a new
challenge for every request that misses the cache. Or, looked at from the
other side: A new challenge for every request to the DC (not from squid to
the helper).

As I interprete the source, currently the same challenge is used for every
authentication to the DC (until connection fails, then it gets a new one,
unfortunately this is too late in the authentication handshake then; so
this attempt is doomed to fail). Securitywise, this looks pretty odd to
me.. Not that that would account for anything ;-).

From the logs I have the feeling that the DC dislikes that. It wants a new
connection and challenge for every user.

From the hack^H^H^H^Hpatch I send very shortly before this should be
clear.

Michael.

--
Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de,
or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on
any machine in the net, it's very likely it's me.
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Oct 27 2000 - 05:14:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:00 MST