Re: NTLM and proxying

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 13 Apr 2001 11:42:49 +0200

Chemolli Francesco (USI) wrote:

> > Yes. New idea: NTLM to basic or digest. We'd need a
> > co-operative server
> > such as SAMBA to validate the NTLM username and give us the matching
> > plaintext though.
>
> And how exactly would you achieve that? If you're a proxy and the
> server is far, far away, how do you plan on validating the NTLM hash?

Or just ask the user, caching the plain text password in a secure
database outside the user directory..

but as discussed it does not make much sense in practical use.

Only application I see it make sense in is if implementing a kind of
"single-sign-on" by abusing the NTLM "automatic login" feature, but such
password caches are better implemented at the user-agent I think..

> > available. Digest or NTLM to any requires a co-operative user
> > directory.
>
> Which, generally speaking, you don't have. I wouldn't even bother
> working on the issue.

Neither would I. Directories are generally designed to protect the plain
text password, and adding backdoors for getting plain text passwords is
a big security hazard.

> That would be true if you transparently transformed a more-secure
> auth-scheme to a less-secure auth-scheme (such as NTLM-to-basic or
> digets-to-basic [client side first]).
> But since you really can't do that but only the other way around,
> it's not really an issue, is it?

It is an issue in information, not technology.

A site might have the policy that logins is only allowed using Digest.
If you then have a Basic->Digest gateway in the request patch then you
allow the user to breach this policy, most likely without knowing.

This is also true for Basic->NTLM, as NTLM theoretically supports asking
the user for login details when logging in to another domain without a
trust arrangement (I don't know if IE does this but it can be done).

--
Henrik
Received on Fri Apr 13 2001 - 04:02:04 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:45 MST