RE: NTLM authentication, recent logs for Robert Collins

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Fri, 27 Oct 2000 08:40:07 +0200

> On Thu, 26 Oct 2000, Chemolli Francesco (USI) wrote:
>
> > This is the problem. If I am forced to issue new challenges
> > over and over again, the cache will be completely ineffective.
>
> Sorry, this time *I* cannot follow because I've no idea who challenges
> whom in that NTLM business. I was under the impression that
>
> 1. IE opens connection (maybe also sends domaim\user, somehow
> fakeauth has
> to work), squid consults DC for a challenge (possibly already
> mentioning for which user) and passes it to the client.
>
> 2. IE takes user credentials, password and challenge and mangles them
> into a reply.
>
> 3. Squid passes that on to the DC which compares it with its own idea
> and accepts or denies it.

Sort of. Actually it is something like:

1. IE tries to connect without credentials
2. Squid denies it
3. IE tries to connect asking for a challenge nonce, telling nothing
   about itself
4. Squid asks the challenge to the DC, caches it and hands it to IE
5. IE tries to connect passing over the user's domain, username and
   mangled challenge
6. Squid hands the informations over to the DC, which accepts or denies
7. From that moment on, that TCP connection (keep-alive is important!)
   is considered authenticated, no further credentials are passed.

> This is how I would do it. Now, for Gods sake, I don't work for M$ so
> might be completely wrong.

M$'s scheme is botched in many ways, the main one being that it has
implicit connection-based state. This is why NTLM authentication
cannot and will not work across proxies (maybe unless the entire proxy
architecture is engeneered to handle that).

> So I thought, there is no problem at all to send IE the same challenge
> again and again and again and compare the result with
> ntlm-auths cache.
> The only reasons not to do that are imho that the user might
> have changed
> his password or that you don't want to a allow someone having
> snooped the
> communication with squid is able to login as that user.

It is no problem really. The only step that differentiates
users is step 5, and if we don't have the credentials in cache,
we'll just ask the DC again. We just need to find a better way
to talk to the DC. If anybody has any friends in the Samba-TNG
team, they could really help us there :-)

> > Just for curiosity I'd like to know how NTLM really works.
> (any pointer?)
> Ok, your idea how NTLM really works ;-)

Frankly, it sucks. All it would take to have it work reasonably
would be to have the client send the unmangled challenge back along
with the credentials in step 5.

-- 
	/kinkie
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Oct 27 2000 - 00:45:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:59 MST