IMO to do full NTLMSSP we need to :
Deprecate / remove all stateful helper logic.
Use winbind / guido's native equivalent exclusively.
Handle the handshaking thusly:
request->squid->helper
challenge->squid->client
response->squid->helper
result->squid
I.E. do away with all the fluff that was needed to make use of
server-assigned challenges work (where the server would irregularly drop
the tcp connection and force all outstanding auths to fail.)
Arbitrary challenges will work fine with winbind, and we can retain
logic to check that a challenge was indeed issued by squid on a
connection to prevent chosen challenge attacks.
This is a major change though, and IMO best slated for 3.1 - it will
take time to do it RIGHT.
Rob
On Sat, 2003-05-10 at 20:39, Henrik Nordstrom wrote:
> On Saturday 10 May 2003 12.20, Serassio Guido wrote:
>
> > I will made some testing, but I'm not sure of what
> > REQUEST_NON_NT_SESSION_KEY means.
>
> Neither am I, but it is a REQUEST flag, not a CHALLENGE flag. The mode
> of this flag is set by the client when making the request.
>
>
> Also, I still do not see how to make a correct NTLMSSP implementation
> without access to the NEGOTIATE packet and unique NTLMSSP challenge
> packets per NEGOTIATE. Sure, the basic NTLM and LM protocols can be
> done blindly, but NTLMSSP is a lot more stateful than just NTLM or
> LM.
>
> My understanding of REQUEST flags is that these are sent by the client
> in the NEGOTIATE packet, requesting the server to return certain
> information in the CHALLENGE packet. To be compared with the
> NEGOTIATE flags which are used to negotiate a certain feature in all
> NTLMSSP packets..
>
> > Removing it means don't allow a LM negotiation ? If so, what
> > happens with 9x clients ?
>
> And is why I want to have the patch reviewed and tested before
> applying.
>
> Regards
> Henrik
-- GPG key available at: <http://users.bigpond.net.au/robertc/keys.txt>.
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:52 MST