Re: [squid-users] ntlm for windows and msntauth for linux users

From: Robert Collins <robert.collins@dont-contact.us>
Date: 10 Aug 2001 00:02:46 +1000

On 09 Aug 2001 10:43:07 -0300, Mads Rasmussen wrote:
>
> This new head of squid 2.5 is great!!!
>
> Just by doing this:
>
> auth_param ntlm program /usr/local/squid/libexec/squid/ntlm_auth cit/roma
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param basic program /usr/local/squid/bin/msntauth
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> and adding auth acls, I get ntlm auth for all windows IE users and msntauth
> for netscape and linux users.
>
> However I still wish it could be combined with digest to make the
> authentication more secure.
> I know now this cannot be done with ntlm, but what about msntauth?

No. msntauth is a 'basic scheme' helper. Digest scheme helpers need
different information to basic scheme helpers.

Here's the differences:
basic - the helper gets given username and password and goes and "tries"
them.
ntlm - the helper connects to NT domain controller to get a "challenge"
which is then given to the user's browser which encrypts it based on the
users password, this response comes back to squid, and then through the
same helper and out to the domain controller, and finally squid gets
told the username, or ERR if the user couldn't be logged into the domain
controller.
digest - squid asks the helper for the HA1 (the digest of the username
and the challenge realm), and then uses that in the challenge given the
users browser, and to verify the results - that show whether the user
knows the password or not.

There is _no way_ to use any helper with a different scheme than it was
written for.

> The helper available for digest (I still cannot get a digest auth program
> installed) is password, that I would guess to involve maintaining a password

Is src/auth/digest/helpers/password/digest_pw_auth getting built?

> file for accessing users. That was why I turned to msnt and now ntlm in the
> first place. We have all users using windoze so we might as well authenticate
> them on our PDC.

To do that someone needs to write something that goes on the domain
controller and calculates HA1 for the organisation when the user changes
their password, or alternatively saves a copy of MD5(password) and then
uses that to create the HA1 when squid needs it.

I have no intention of writing such code, but will happily assist on the
squid end should anyone want to write such a thing. That sort of
extension is also needed for things like the LDAP and YP directory
systems before digest with squid will be freed from needing a password
file.

Rob

> But maybe the security cannot be improved before microsoft decides to upper
> its security of it's authentication protocols?
>
> Best regards,
>
> Mads
Received on Thu Aug 09 2001 - 08:03:14 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:31 MST