> Chemolli Francesco (USI) wrote:
>
> > Isn't this exactly the pinning that would be needed all over the
> > (NTLM) place? Can't we just use the tunneling primitives?
>
> Sure, but then all logging is lost, and you still have the
> same security
> issues with cache hierarchies.
No, we can't afford that.
> Senario:
>
> Two users behind a second-level proxy not knowing about NTLM
>
> User a logs in to a origin server using NTLM, causing the top level
> proxy's connection to the NTLM enabled server to be logged in.
>
> User b requests an object on the same server, and persistent
> connection
> management causes user b's request to be sent on the connection opened
> and by user a, thereby inheriting the privilegies of user a.
Of course this can't be allowed. This is what pinning is all about,
isn't it?
> So NTLM proxying ends up in a bad idea unless the whole environment is
> controlled and you know there is no second level proxies not knowing
> about NTLM.
Let's rework the scenario.
2 users ("a" and "b"), both behind two proxies ("1" and "2" with
"1" being closest to the users).
-first scenario: both 1 and 2 understand NTLM.
a opens connection and authenticates via NTLM. 1 pins upstream to a
(it pins the a-1 fd to the 1-2 fd). 2 does the same, and everybody is happy.
b opens connection and authenticates via NTLM. 1 doesn't use the same
upstream link, since it's reserved for the a-1 to 1-2 tie) and opens a
new one. Everybody is happy again
-second scenario: 2 doesn't understand NTLM
here matters become nondeterministic, since it all depends on
if and when 2 will terminate the TCP connection to the server.
But in this case the existence of 1 won't matter at all: we'd be
screwed anyways.
This all to say: NTLM auth sucks. If 1 supports it or not won't change
things.
Also, we really have no way of knowing what will happen
upstream, it doesn't matter if "we" is the client or a proxy.
If "we" is the "1" proxy and we don't handle NTLM, we will blunder earlier,
but we'll still blunder. Yes, NTLM auth sucks. Big time. Blame Canada [1].
Yes, I love South Park.
-- /kinkieReceived on Fri Apr 13 2001 - 14:46:17 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:46 MST