RE: NTLM and proxying

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Fri, 13 Apr 2001 11:46:23 +0200

> Chemolli Francesco (USI) wrote:
>
> > Isn't this exactly the pinning that would be needed all over the
> > (NTLM) place? Can't we just use the tunneling primitives?
>
> Sure, but then all logging is lost, and you still have the
> same security
> issues with cache hierarchies.

No, we can't afford that.

> Senario:
>
> Two users behind a second-level proxy not knowing about NTLM
>
> User a logs in to a origin server using NTLM, causing the top level
> proxy's connection to the NTLM enabled server to be logged in.
>
> User b requests an object on the same server, and persistent
> connection
> management causes user b's request to be sent on the connection opened
> and by user a, thereby inheriting the privilegies of user a.

Of course this can't be allowed. This is what pinning is all about,
isn't it?

> So NTLM proxying ends up in a bad idea unless the whole environment is
> controlled and you know there is no second level proxies not knowing
> about NTLM.

Let's rework the scenario.

2 users ("a" and "b"), both behind two proxies ("1" and "2" with
"1" being closest to the users).

-first scenario: both 1 and 2 understand NTLM.
a opens connection and authenticates via NTLM. 1 pins upstream to a
(it pins the a-1 fd to the 1-2 fd). 2 does the same, and everybody is happy.
b opens connection and authenticates via NTLM. 1 doesn't use the same
upstream link, since it's reserved for the a-1 to 1-2 tie) and opens a
new one. Everybody is happy again

-second scenario: 2 doesn't understand NTLM
here matters become nondeterministic, since it all depends on
if and when 2 will terminate the TCP connection to the server.
But in this case the existence of 1 won't matter at all: we'd be
screwed anyways.

This all to say: NTLM auth sucks. If 1 supports it or not won't change
things.
Also, we really have no way of knowing what will happen
upstream, it doesn't matter if "we" is the client or a proxy.
If "we" is the "1" proxy and we don't handle NTLM, we will blunder earlier,
but we'll still blunder. Yes, NTLM auth sucks. Big time. Blame Canada [1].

Yes, I love South Park.

-- 
	/kinkie 
Received on Fri Apr 13 2001 - 14:46:17 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:46 MST