[squid-users] Questions on research into using digest auth against MS AD2003

From: Richard <squid_at_rain4us.net>
Date: Fri, 31 Oct 2008 13:55:40 -0500

* What specific piece of the puzzle on the client side is it about the
NTLM or kerberos authentication methods that allow the authentication
traffic secure by sending only the credential hashes? (Am I correct in
understanding that it is the ntlm_auth program that speaks to the NTLM
client and negotiates for the credential hashes to be exchanged?)

* When squid is configured to use *digest* authentication, I understand
that the traffic between the squid server and the LDAP server is
encrypted . Is the traffic between the browser and the squid server
also encrypted when using Digest? If so, how is it the client browser
know to encrypt/hash the communications for the return trip to the server?

    **Short of loading a program on a client machine, are there any
proxy servers out there that can prompt for credentials while keeping
secure the communication between the workstation and the proxy server?
    ** What is it that has to happen to ensure that the authentication
traffic from any browser to any proxy server is encrypted?

* Considering the fact that I'm trying to use digest_ldap_auth against
an MS LDAP/AD 2003 server that should be storing several precomputed
digest hash versions of H(username:realm:password) that permit these
hashes to be authenticated without requiring reversible encryption to be
enabled on the account. (see technet article@:
http://preview.tinyurl.com/5bxacn)

A) Is it even possible to use digest_ldap_auth to do digest authenticate
against an Active Directory 2003's LDAP database server?

B) What would be a working example command line of a successful
digest_ldap_auth test against an AD 2003 server? (In my attempts, I have
been unable to identify the proper digest hash containing LDAP (-A)
attribute to use in a lookup. I *THINK* this is because MS AD2003
expects the digest hash request to come via a SASL mechanism...which
begs the question...is there a SASL mechanism that works with
squid+AD2003?)

* What would help me identify the necessary pieces of the puzzle so that
I could configure such a successful lookup?

For what it's worth and/or if you have any questions about how or why
I'm doing things, I'm keeping all my notes about this project on one of
my wiki pages. (http://preview.tinyurl.com/6fgyf8) maybe it will help
others.

-- 
Richard
Received on Fri Oct 31 2008 - 18:55:56 MDT

This archive was generated by hypermail 2.2.0 : Sat Nov 01 2008 - 12:00:04 MDT