RE: Micro$oft Authentication

From: Jason Haar[SMTP:Jason.Haar@trimble.co.nz]
Sent: Monday, 20 April 1998 12:22
Subject: Re: Micro$oft Authentication

>> I believe if you use an OS with PAM capabilities (Linux or Solaris), you
>> can use a PAM module which will authenticate off an NT server. I've seen

>Won't do I'm afraid. Web-based NTLM authentication means "transparent"
>authentication (under IE 3.0+). When IE sees that it's been asked to do
NTLM
>authentication, it sends its cached usercode/password pair (suitably
encrypted
>- this is no BASIC scheme!) without even mentioning it to the user. It can
do
>this as the user authenticated themselves on the NT domain when they logged

>into their workstation - this cached information is available from then on.

It's kind of a problem if you want to use some other credentials apart from
the ones that NT has on offer e.g. with a shared PC that gets logged in as
some "dumb" user account. Since the user has no control, NTLM just fires
off when it has to and that's that. Thanks again Microsoft ....

>I've gone as far as getting the squid proxy-auth patch to call the likes of

>smbclient (works well - as it caches too), but it still only supports BASIC

>authentication - i.e. passwords in the clear/etc.

So, you mean that you can send a BASIC encoded username/password to the
Squid server, which then verifies that password using smbclient against an
NT server with its SAM security database ? Please correct me if my
understanding is wrong. Some extra details here would be great (as would
some rough latency figures on how long it takes to do this extra
cross-machine Squid -> NT access check).

>I'd love to see a "true" NTLM patch for Apache/Squid - but the encryption
>coding required probably puts most people off...

The problem is that NTLM (also called NT challenge-response) is that it also
requires somehow (or so I have heard) the IP address of the client to be
used to be involved in the encrypt / decrypt. This may prevent spoofing of
the credentials by just listening to the conversation. So, once a proxy
(even MS-Proxy) is put in the middle, NTLM authentication doesn't work
because the NT server now sees the proxy and not the actual client as making
the network connection. Hence, it all falls down. At this stage, even
Microsoft don't have any answer to the problem. It's all a part of their
original non-Internet-centric design philosophy for NT. Now, the Internet
comes along and Microsoft are still playing catch-up. I expect NTLM-98 to
be out some time !!! hahahaha !!!

Still, a proxy authorisation scheme which makes use of the NT / LAN Manager
username and password, then looks at the users GROUP membership to decide
what ACL-based access to grant may be useful indeed. It would be a "single
sign on" situation with some easy ACL group membership too.

Jason (no - I'm not talking to myself), will you be making your code
available to the Squid group once it's done ? I'm sure some of us would use
it, or like to offer a hand to test / debug / develop it with you.

Cheers

Jason Armistead
Minto, NSW, Australia

begin 600 winmail.dat
M>)\^(C4$`0:0"``$```````!``$``0>0!@`(````Y`0```````#H``$(@`<`
M&````$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`06``P`.````S@<$`!,`
M%P`C```````F`0$@@`,`#@```,X'!``4`````@`Q``$`(0$!"8`!`"$````X
M-CDP,3@R1D)"0T5$,3$Q.4(P.#`P,#!&.#`S-3@P,0#M!@$$@`$`'0```%)%
M.B!-:6-R;R1O9G0@075T:&5N=&EC871I;VX`.`H!#8`$``(````"``(``0.0
M!@#P"P``(0```$``.0``2N9+#6R]`0,`-@```````P`F```````>`'```0``
M`!D```!-:6-R;R1O9G0@075T:&5N=&EC871I;VX``````@%Q``$````;````
M`;UL`NYGV.YX]]?<$=&:D`"@)*.GQP`!)J=J`!X`,4`!````%0```$%54U1,
M04XM05535%!/+4]:330T``````,`&D``````'@`P0`$````5````05535$Q!
M3BU!55-44$\M3UI--#0``````P`90``````+``4```````L`-0``````"P`&
M#``````+`!<,``````L``@P``````@$)$`$```"-"```B0@``*(-``!,6D9U
MN/9=>8<`"@$-`T-T97AT`??_`J0#Y`7K`H,`4`+S!K0"@R8R`\4"`&-H"L!S
M9=AT,"`'$P*`?0J`",\_"=D"@`J$"S<2P@'0($8-`V$Z`S`!D2!*87,1`B`@
M2&$*P%M332A44#H8@RX8XD!T(P40!M!L92X%H"YN?'I="J,*@`9@`C`8%4U!
M`B!D87DL(!>A089P!1`#(#$Y.3@=,!@R.C(2P!LE=6)JDP60&[9291@036D%
M`!AO)&\!@!/@=71H>QN1'X!A('`"(!L5&Q4^@#X@22!B96P(D$AV92`&D"!Y
M"&`@ZG43H"`#D4\%\`/P(#!@(%!!32`@D`JP8D\#$"/`")`$("A,"X!U='@@
M!;%3!O`*P`0`*?\<D"+1(6@@D`.@(Q,C\P1A=G4:@".@:!^`(^`#\&Q]`R!A
M("@B@!_0(K`#D4Z45"`3H'(B<'(N(?!>)R)Q$Z`)\"#]5P(@)^D%0&1O*P%M
M(T`#4`MP@F0J\%=E8BUB&)!["8`J44PD("DI(,$G\&6]!B(B&C``<0JQ&Y$B
M"N-S(:(NW2AU'%`$D"'P1<`@,RXP*RDMP2!!/S+2*V$$("`P(*`BD'0GKP0@
M(B`SH1B0:RY1="T`_RSQ+H,Q#R"C')`CP"J!'%!_!"`CP`0@()`38"Y1(Q%R
MVP6@`0`O"K`$$'<%L"Y@Q0JP:07`*'-U(\`!H-AL>2`)\`4`>04P+E&](68M
M-$$$`"*0!"!N+0#@0D%324,J@#C!!X#\(2DCHPA@!4`B82^B(&'[`B`+@&<W
MPC6A(#$Y`RKQ_P5`)R(L\2%F/&,8D#_7*1OW-8$]D1.@;")P!"`8L3_B_RIA
M+/``P`N`*&$SH2`Q.P#Y%-!G9SN9"X`_M#I1.>'\:W,!D"]S/$4XI0N``A#N
M<@#`+W-!PG8+<`M@&G'^(`-2/](#H!FQ(/Q`@#3!OFL+@"Y@']`GD1SP;QIQ
M^RU`(J5W`'`_DR,2&*`'@/\E<"`Q!<`%``F`(%('0$'1_PJQ!4!*QD0Q-"8J
M81-P1"-W*?$RL1J09RKP([,GH'/[$W$N45`]4#131B`X<47U]T4A0?%/$R(H
M(`;0,.!"9'9C!:`R@'0J\`8`"X!C?R*`0B=20CSA!:`",`-@;/L<D"Z#:B,0
M4,$Z4$02*@'_15,WT5)"-:$`<$-R(*`TP6LT4E=A5!-P;D?`(T!G[T42'W,8
MH!_A+EY!(/TK$_9G47%!XF8*P4'Q5,$@<',_43_B<W$ZH#H1`V!X['DM*2(Z
M(70HH36A()"_*/$_XB)`-6!:8C9'<P;0]F,B04YQ*$>3(Z`B,`,@7SQ`0?$W
MT3BC6V)O)B%B?SY1-](@<"CQ`B`Z\3J0<#YP%.$$(#T4-E]']FDN?QJ0.B$Y
MQ#A!1%1DX"_0<OHO$[!C2XTEL"8S+[,T1/\BTB<B.`(GD3T4.R$$<3CTW&YA
M!X`YF#^U4V&#*I3_')`H=$L3*L$&D"32-%,YI_\C$#]"9+A=0UGQ*CHCI#AB
MUE,D$1.@8PAQ=#L`'&#3`9$N,2`_5W!0;'$C(=\%H15`'J`OL2*2;3L`,H/_
M1]$<4#]#9:$#8#]05V)/(O\/`2V`+.`3L$I!!"!/@2A1?0A@;"Y@(B!4L!5`
M-'$HST'Q?F1/$P-@=6<CX`M@[P[P.S`[`%H@9PAP1!0^,/<'X!30/U5A8\(U
MI#QC?31Y7<)S+0#!*(!?X7)D+3\AX"IA5O$'D#B!($!C:_\S4%Z/+F`4T")Q
M-:$K82>1_S`A"E`PX"Z#8H1)41S1.++^+X3E9U,_XCLE+X(A9CE1OS]"%4!A
M@50"36(ZTW`@(,<$(`1@6?%P96\+4"G3_UY?7-`B@$UG4:<NH7]04%"?8O0N
M4X8!DG(_4&4M6D'[:+``@&4]X)$V-]&2$XT%^U7$@=(H!;&2,2(`$W`B<4\@
M0`L1/>`_XDE0(T!D_F1:06/C;"1E`S6A?L$C$?<U@W[!"X!V!O`B<%5CBRG\
M("]]@3M#7*,\@0#`C@'_%4`^D3?A:+`?T#]"F)9/V?YB.P!9TR)`1]`)\&#S
M/\3[6/$JP7,@HWRS')`"(%?!GTU#8@`E`#Z#!>`M4&'BUY0CCB%KYFTMH&0:
M@%EE_R[=+/`'D"RR1Y(B$2"0(Q+_1'5W13S@!^`T!9"3HO%;LN<\X(L$`-!T
M=0=`F/9!\>\`P$S!8111@'2G0UCQ48#['J"AM$@[(:51E,,#(&!`URCP!"`L
M\'>ATD&+`CR!_T?11B`<D*,T7;<L\"RREN/_`'"J`@/@,K$_M4UE5V%,<_]C
M(DU!4**8E#I1!;"!,`N`XZLA/.!N+4D",`21$["^+5?`61$?@'V!`)!G`Z#^
M<"B`%-`8H+?0@0$%L2I@_5=A3H'@')"7H[9E6.$'@G\'0((B6[)=J#"19\4+
M47GW/T(@D1-@+6B0L\)](8[`^WJ1I8(M'6&9=#Y"3Q,@</U/,2&_\%(QP#2_
MXFT-9^+_')"BIBDBM8&AA#UE*&6K\1\'D2,2F)4J89P`3$%._P70`'"P007`
M<-9;HSFFN4-[`Z`4T&]=$HL$.1($($?X4D]5E_`'@`;0>X$H@#YP-9,%D"V@
M*%(T<4%#_DPN%86E-:$)P$YBG1*9I/YF*#!)(0$`"8"SPWY8B''_=7(H0;>#
M`B`PX`"0JP$O<_\CLT\3>?$[`,N!?N$(8,IP[\GK&L`@_!B$*#SA/$`M(K^J
M8P=`K!0M`'L@0]%F)B'_*-,BTG[!J_4BT4^A!'%*&?]Q^])4HE,TH[&!>8,M
M(CJ0_[OB3R,BL",0?E4C$B/`HC'_!<!CHC624K0GH%SA<=0'D/^;Y&=@/V"<
M`B)P%-#*<#?1]R.S(M%+C4,@0'N!TZ\8L?\'$*4`H#&8$!L5'W!&\5EA?%-7
M')`@$$?0+8`B0&$%&Q5]YQ````!``$@``$KF2PULO0$"`?D_`0```%T`````
M````W*=`R,!"$!JTN0@`*R_A@@$`````````+T\]551#+T]5/4]4055-24XO
M0TX]35,@34%)3"!214-)4$E%3E13("]#3CU!55-43$%.+4%54U103RU/6DTT
M-``````>`/@_`0```!$```!!<FUI<W1E860L($IA<V]N`````!X`.$`!````
M%0```$%54U1,04XM05535%!/+4]:330T``````(!^S\!````70````````#<
MIT#(P$(0&K2Y"``K+^&"`0`````````O3SU55$,O3U4]3U1!54U)3B]#3CU-
M4R!-04E,(%)%0TE0245.5%,@+T-./4%54U1,04XM05535%!/+4]:330T````
M`!X`^C\!````$0```$%R;6ES=&5A9"P@2F%S;VX`````'@`Y0`$````5````
M05535$Q!3BU!55-44$\M3UI--#0`````0``',%#%%BX1;+T!0``(,`#U22\1
M;+T!'@`]``$````%````4D4Z(``````>`!T.`0```!D```!-:6-R;R1O9G0@
M075T:&5N=&EC871I;VX`````"P`I```````+`",```````,`!A`XL=4I`P`'
M$)()```#`!`0``````,`$1``````'@`($`$```!E````1E)/33I*05-/3DA!
M05)33510.DI!4T].2$%!4D!44DE-0DQ%0T].6E-%3E0Z34].1$%9+#(P05!2
M24PQ.3DX,3(Z,C)354)*14-4.E)%.DU)0U)/)$]&5$%55$A%3E1)0T%420``
$``";V`==
`
end
Received on Sun Apr 19 1998 - 21:24:04 MDT