Re: New Auth configuration options

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 6 Mar 2011 12:39:28 -0000

"Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
news:4D73721E.4000601_at_treenet.co.nz...
> On 06/03/11 00:46, Markus Moeller wrote:
>>
>> "Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
>> news:4D718401.6050404_at_treenet.co.nz...
>>> On 05/03/11 05:41, Markus Moeller wrote:
>>>> Do you have an idea how such a wrapper would work ?
>>>>
>>>> The issue I see is that the wrapper helper must do the same process
>>>> management as squid. Which I think is quite some duplication.
>>>>
>>>> Markus
>>>>
>>>
>>> Squid already does the tri-state response handling similarly for
>>> Negoatite and NTLM auth schemes. The blob decoding and response state
>>> is entirely up to the helper.
>>>
>>> I think the wrapper just needs to decode the blob and do either NTLM
>>> challenge+validate or Kerberos validate on the result depending on
>>> what detail it gets.
>>>
>>
>> So squid keeps state to which helper instance the NTLM challenge was
>> send too ?
>
> Yes, and whether there is a challenge pending blocking it from other uses.
>

Good

>>
>>> A flag internally to determine that an NTLM validate is the next state
>>> after challenge will be needed to avoid sending NTLM challenge then
>>> validating the follow-up with Kerberos.
>>>
>>
>> I really don't want to program all of that. I just would like to hand it
>> over to the existing squid_kerb_auth or ntlm_auth helper after
>> identification of the blob beeing NTLM or not. But if I hand the token
>> over squid_kerb_auth or ntlm_auth will get into an endless loop and
>> won't return to my wrapper.
>>
>> Does that make sense ?
>
> Nope. Sorry. Is the wrapper calling itself recursively when the first
> sub-lookup results in failure?
>
>
> The only loop I can see is when Negotiate/NTLM challenge-response arrives.
> If the wrapper pases it to Kerberos it may have bad consequences, though
> I'm not certain. If Kerberos can validate the NTLM challenge responses
> safely that simplifies things a lot.
>
> As for programming, we have a libntlmauth library bundled with Squid which
> has NTLM decoder functions and "struct ntlmhdr" definitions in it.
>
> Code would be something like:
>
> flag = unset
> while(fgets(input)) {
> base64decode(input, output);
> validation_reply = ntlm_validate_packet((struct ntlmhdr*)output,
> <type 3 packet>);
> if (validation_reply && flag != doing_ntlm) {
> ... get result form kerberos ...

Here I see a problem. I asume I can re-use the existing helpers. How do I
start it and get data to and from it ?

> } else {
> flag = unset
> ... get result or challenge from NTLM ...

Same here.

> if result is challenge
> flag = doing_ntlm
> }
> ... pass result to squid
> }
>
>>
>>> "Simples", as the rat said to the piper.
>>>
>>> Amos
>>>
>>>
>>>>> -----Messaggio originale-----
>>>>> Da: Henrik Nordström
>>>>>
>>>>> ons 2010-04-07 klockan 20:27 +0100 skrev Markus Moeller:
>>>>>
>>>>> > Would it make sense to define in squid two new configuration
>>>>> options > to
>>>>> > control Negotiate authentication ? I am thinking of adding
>>>>> >
>>>>> > Negotiate-NTLM
>>>>> >
>>>>> > and
>>>>> >
>>>>> > Negotiate-Kerberos
>>>>>
>>>>> I would prefer a wrapper helper doing this selection.
>>>>>
>>>>> Regards
>>>>> Henrik
>>>>
>>>
>>> Amos
>
>
>
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.11
> Beta testers wanted for 3.2.0.5
>
Received on Sun Mar 06 2011 - 12:40:01 MST

This archive was generated by hypermail 2.2.0 : Mon Mar 07 2011 - 12:00:03 MST