On Tue, Sep 14, 2010 at 1:52 AM, Isaac NickAein <nickaein.i_at_gmail.com> wrote:
> How about Digest authentication?
>
> Does digest is as weak as NTLM?
>
> and another question:
>
> Is it possible to use Kerberos (actually Negotiate) protocol for squid
> user authentication in a network without any Active Directory or
> Domain?
>
>
> On 9/14/10, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On Mon, 13 Sep 2010 11:28:13 -0500, Terry <td3201_at_gmail.com> wrote:
>>> I have a working NTLM implementation in place and it works great from
>>> yum and wget for example. However, when I try to use squid from IE8,
>>> it prompts for password and I never see the credentials hit squid,
>>> just this for example:
>>> 1284395121.846 0 10.8.1.100 TCP_DENIED/407 1798 GET
>>> http://google.com/ - NONE/- text/html
>>>
>>> I have added google.com to IE's local intranet zone and gave that zone
>>> low priority so I am not sure where the problem lies. Here's my
>>> configuration:
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> --require-membership-of="DOM\\proxyusers"
>>> auth_param ntlm children 5
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> --require-membership-of="DOM\\proxyusers"
>>> auth_param basic children 5
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 5 hours
>>>
>>> acl NTLMUsers proxy_auth REQUIRED
>>> http_access allow all NTLMUsers
>>>
>>> I can test fine from the squid server:
>>> [root_at_proxy01a squid]# ntlm_auth --helper-protocol=squid-2.5-basic
>>> DOM\jmama password
>>> OK
>>>
>>> What am I missing?
>>
>> The fact that NTLM has been obsolete for 8 years now? It's encryption
>> schemes were demonstrated to be decrypted in under 15 minutes with a
>> standard consumer desktop as of a year or so ago.
>> Microsoft have declared is deprecated in favor of Kerberos back in the
>> early stages of Vista and all their newer software attempts to do Kerberos
>> instead. IE8 and Windows 7 are known to have NTLM fully disabled by
>> default, with some hoop-jumping needed to open up those hole again.
>>
>> *Please* look at upgrading your network to Negotiate/Kerberos. It's much
>> more secure, faster and very much less resource hungry than NTLM.
>>
>> Amos
>>
>
Clearly I'm not up to par on my authentication technologies. If it's
that old, why is it still an example on the website? I'll check into
Kerberos as I use that in other areas for linux/windows
authentication.
Received on Tue Sep 14 2010 - 13:25:04 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 15 2010 - 12:00:03 MDT