Re: [squid-users] another win2003 ad auth question, but NOT a 'howto' question...

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Sun, 23 Jul 2006 23:22:48 +0200

sön 2006-07-23 klockan 12:21 -0300 skrev Tiago Quadra:

> I read that with both NTLM auth, for each request I will have TWO DENIED
> before the authentication processor starts. What is the impact on
> performance comparing to a solution using SASL/Shadow of NCSA?

Somewhat noticeable performance penalty visible to the users.

And also quite noticeable performance penalty on the proxy as during
this handshake a helper process is reserved for this user so you need
quite a bit of ntlm helpers configured..

> I'm also concerned about security, with the clients Windows AD password
> been sent to the proxy server. The NTLM authentication process (with
> negotiation) does need to send the password?

The NTLM authentication echanges Microsoft family of hashes, not plain
text.

> I tried to read about it
> but I didn't understand it very well. If it's been send, with tcpdump I
> notice that it's not in clear text, but if so, what is the strength of
> the crypto used? How easy will it be for someone to break it?

With the old SMB based helper shipped with Squid only MS-LANMAN hashes
is supported, which is considered pretty weak and most passwords can be
reversed with little effort.

With the Samba provided helper NTLMv2 is supported in right
configurations, which is considered pretty strong.

But it should be noted that NTLM authentication is somewhat vulnerable
to man-in-the-middle downgrading the authentication support, meaning
that a man-in-the-middle attack can downgrade the authentication
exchange to MS-LANMAN is this is accepted by your domain policy, even if
NTLMv2 would normally be selected. This concern also applies to most
Microsoft protocols / network applications using NTLM authentication.

> Which ntlm_auth will be best concerning performance and security?

The helper from Samba.

The one shipped with Squid is not by far as good, and should be seen as
a lazy method useful only if joining the domain is not an option.

> What about a KERBEROS/GSSAPI/SSPI helper for squid on Linux?

Squid-2.6 + Samba-4 technology preview release has what you need, but
you will need MSIE 7 to be able to use this in proxy authentication
(MSIE 6 only supports this to web servers, not proxies... nobody outside
Microsoft understands why). Firefox also supports this.

Regards
Henrik

Received on Sun Jul 23 2006 - 15:22:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:02 MDT