>
> Hi there
>
> We are facing a problem with squid/fakeauth_auth helper, after change in
> NTLM parameters of our stations(Require Message Integrity, Message
> Confidentiality, NTLMv2 Session Security, 128-bit Encryption).
>
> I made some tests and realized that NTLMSSP Flags returned in
> NTLMSSP_CHALLENGE to station is wrong:
>
>
> 1 - Success Authentication (ntlm_auth)
>
> 1 - HTTP/1.0 407 Proxy Authentication Required (text/html)
>
>
> 2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
> -Proxy-Authorization: NTLM
> Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n - EXAMPLE
> - NTLMSSP
> NTLMSSP identifier: NTLMSSP
> NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
> -Flags: 0xa208b207 - estation send this flag
>
>
> 3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE
> (text/html)
> Proxy-Authenticate: NTLM
> TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
> NTLMSSP
> NTLMSSP identifier: NTLMSSP
> NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
> .....
> Flags: 0xa2898205 - estation receive these flag from squid.
>
> 4 - HTTP/1.1 , NTLMSSP_AUTH, User: Domain\User
>
>
>
> 2 - Unssucess Authentication (fakeauth_auth)
>
> 1 - HTTP/1.0 407 Proxy Authentication Required (text/html)
>
>
> 2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
> -Proxy-Authorization: NTLM
> Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n - EXAMPLE
> - NTLMSSP
> NTLMSSP identifier: NTLMSSP
> NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
> -Flags: 0xa208b207 - estation send this flag
>
>
> 3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE
> (text/html)
> Proxy-Authenticate: NTLM
> TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
> NTLMSSP
> NTLMSSP identifier: NTLMSSP
> NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
> .....
> Flags: 0x00018205 - estation receive this flag from
> squid/fakeauth_auth.
>
>
> 4 - Authetication Failed
>
>
>
>
> As a test, I forced NTLMSSP_CHALLENGE FLAGS to be equal
> NTLMSSP_NEGOTIATE(0xa208b207) then it worked fine.
>
> fakeauth_auth.c
>
> void ntlmMakeChallenge(struct ntlm_challenge *chal, int32_t flags)
> {
> static unsigned hash;
> int r;
> char *d;
> int i;
>
> debug("ntlmMakeChallenge: flg %08x\n", flags);
>
> memset(chal, 0, sizeof(*chal));
> memcpy(chal->hdr.signature, "NTLMSSP", 8);
> chal->flags = htole32(CHALLENGE_TARGET_IS_DOMAIN |
> NEGOTIATE_ALWAYS_SIGN |
> NEGOTIATE_USE_NTLM |
> NEGOTIATE_REQUEST_TARGET |
> (NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
> );
> // Testing purpose
> chal->flags = flags;
>
> chal->hdr.type = htole32(NTLM_CHALLENGE);
> chal->unknown[6] = htole16(0x003a);
>
> d = (char *) chal + 48;
> i = 0;
>
> if (authenticate_ntlm_domain != NULL)
> while (authenticate_ntlm_domain[i++]);
>
>
> chal->target.offset = htole32(48);
> chal->target.maxlen = htole16(i);
> chal->target.len = chal->target.maxlen;
>
> r = (int) rand();
> r = (hash ^ r) + r;
>
> for (i = 0; i < 8; i++) {
> chal->challenge[i] = r;
> r = (r>> 2) ^ r;
> }
>
> hash = r;
> }
>
>
> any idea?
First idea is that you should be sending code issues to squid-dev where we
who fix the code hang out.
Secondly, what exactly did you change to make it work? diff patch is
required please along with the info as to what version of squid it is made
from.
Thirdly, note that NTLMv2 is not really NTLM any more. The fakeauth helper
needs to handle both these days. Either with command line switches to
configure the auth type in use or automatic sensing.
see http://en.wikipedia.org/wiki/NTLM for some details of the differences.
If we can make this helper cope without losing the old protocol I will
commit for you.
Thanks
Amos
Received on Mon Apr 27 2009 - 01:41:37 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 28 2009 - 12:00:02 MDT