RE: NTLM and proxying

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Fri, 13 Apr 2001 10:50:55 +0200

> > We could strip the Authenticate: NTLM from the reply.
> > But if there is no alternate authentication scheme offered
> > (as can be the case with braindamaged IIS) we need to offer an
> > ad-hoc error page, otherwise we'd have broken the auth protocol.
> > If the pinning was possible, we could even act as a basic-to-NTLM
> > bridge for such cases (there was a python app announced of
> > freshmeat today that does exactly this). Or maybe we have some
> > ways to do this even now?
>
> We don't need to replace the page: IIS includes a full text
> description
> of the need to authenticate. That page will be shown instead.

Yes and not. We still have the 40X return code. Getting that
with no Authenticate: header is maybe a violation of the HTTP
standard, and even if it isn't it migth confuse the client.
Should we turn the 40X into something else too?

> And we can
> hardly break NTLM can we? We'd need to fix it first :].

That is true.

> > basic-to-NTLM bridge means:
> >
> > 1) we see a server reply with Authenticate: NTLM scheme and no
> > alternate auth methods offered.
> > 2) we strip that out, and replace that with a Basic challenge
> > 3) user supplies us the username, domain and password
> > 4) we complete the NTLM negotiation with the server
> > 5) we handle the client-server association as authenticated
> > 6) continue as usual, stripping away Authenticate: headers
> > from client's requests (with NTLM the once the _connection_ is
> > authenticated no furhter auth takes place)
> >
> > Ideas? Comments?
>
> Whoa. Bad karma security wise - Unless we have some way to pin the
> upstream request to the downstream username.

Er, yes.

> Personally, I'd rather fail
> immediately, and hasten the demise of NTLM only secured web servers.

I don't think anybody in a sane state of mind would use NTLM over
the Internet as opposed to basic-over-ssl. That project is
mainly of issue for
people-who-use-unix-in-a-corporate-environment-which-has-sold-its-ass-off-to
-microsoft
such as me and the place where I work.

> After all, if the site hosters want security, they can run
> NTLM over SSL very easily.

Isn't this exactly the pinning that would be needed all over the
(NTLM) place? Can't we just use the tunneling primitives?

True.
Received on Fri Apr 13 2001 - 02:47:08 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:45 MST