AW: [squid-users] authentication forwarding

From: Benner, Uwe <u.benner@dont-contact.us>
Date: Thu, 21 Sep 2006 17:08:37 +0200

Hendrik thx for the fast response.

Is any other authentication protocol in the position to manage such an auth. forwarding?

Basic is not acceptable because the pwd is in plain text.

Uwe

-----Ursprüngliche Nachricht-----
Von: Henrik Nordstrom [mailto:henrik@henriknordstrom.net]
Gesendet: Donnerstag, 21. September 2006 17:00
An: Benner, Uwe
Cc: squid-users@squid-cache.org
Betreff: Re: [squid-users] authentication forwarding

tor 2006-09-21 klockan 13:00 +0200 skrev Benner, Uwe:

> Proxy A and B have to have NTLM authentication.
> 1st case both Proxies are squid
> 2nd case proxy A = squid proxy B = some appliance

Here is a problem... NTLM can not be forwarded beyond the proxy which
performed the NTLM handshake. The protocol is explicitly designed to
prevent this. At most can the authenticated username be forwarded either
as faked Basic authentication with a static password or as a custom
header, but not the NTLM handshake as such.

> 1. Client sends http request for www.xyz.com
> 2. Proxy A denies and sends an request for authentication to the client
> 3. Client sends user/pwd and Proxy A authenticates the user and provides
> OK

Except that there is no password exchange in NTLM, only a cryptographic
one-time hash exchange unique for the authenticating entity.

> Does it work, that proxy B is requesting the authentication from the
> client again?

Only when using basic authentication.

Regards
Henrik
Received on Thu Sep 21 2006 - 09:08:47 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 01 2006 - 12:00:04 MDT