RE: NTLM authentication, recent logs for Robert Collins

From: Dr. Michael Weller <eowmob@dont-contact.us>
Date: Thu, 26 Oct 2000 18:58:08 +0200 (MESZ)

On Thu, 26 Oct 2000, Chemolli Francesco (USI) wrote:

> This is the problem. If I am forced to issue new challenges
> over and over again, the cache will be completely ineffective.

Sorry, this time *I* cannot follow because I've no idea who challenges
whom in that NTLM business. I was under the impression that

1. IE opens connection (maybe also sends domaim\user, somehow fakeauth has
   to work), squid consults DC for a challenge (possibly already
   mentioning for which user) and passes it to the client.

2. IE takes user credentials, password and challenge and mangles them
   into a reply.

3. Squid passes that on to the DC which compares it with its own idea
   and accepts or denies it.

This is how I would do it. Now, for Gods sake, I don't work for M$ so
might be completely wrong.

So I thought, there is no problem at all to send IE the same challenge
again and again and again and compare the result with ntlm-auths cache.
The only reasons not to do that are imho that the user might have changed
his password or that you don't want to a allow someone having snooped the
communication with squid is able to login as that user.

Just for curiosity I'd like to know how NTLM really works. (any pointer?)
Ok, your idea how NTLM really works ;-)

Michael.

--
Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de,
or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on
any machine in the net, it's very likely it's me.
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Oct 26 2000 - 11:01:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:59 MST