On Tue, 14 Sep 2010 08:25:02 -0500, Terry <td3201_at_gmail.com> wrote:
> On Tue, Sep 14, 2010 at 1:52 AM, Isaac NickAein <nickaein.i_at_gmail.com>
> wrote:
>> How about Digest authentication?
>>
>> Does digest is as weak as NTLM?
Digest has security-level extensions that can be dialed from "session"
equivalent to a slightly safer Basic auth, all the way up to the latest
brand new encryption nobody has heard of yet.
I mention Kerberos as its a polished up replacement for NTLM and within
the NTLM admins confort zone.
>>
>> and another question:
>>
>> Is it possible to use Kerberos (actually Negotiate) protocol for squid
>> user authentication in a network without any Active Directory or
>> Domain?
Credentials to where? Someone called foo sends you a key "fob". With what
reason do you trust them?
In theory yes. Reality? not sure. It is possible to use Kerberos on a
ZeroConf network provided the machines all know each others keys before
connecting.
The old NTLM domain-less helper was a domain server in its own right,
which Squid was running and therefore could trust. Remember that horrible
double-407 handshake in you access.logs? the first 407 was Squid fooling
the client into trusting it as they would a Domain server.
>>
>> On 9/14/10, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>> On Mon, 13 Sep 2010 11:28:13 -0500, Terry <td3201_at_gmail.com> wrote:
>>>> I have a working NTLM implementation in place and it works great from
>>>> yum and wget for example. However, when I try to use squid from IE8,
>>>> it prompts for password and I never see the credentials hit squid,
>>>> just this for example:
>>>> 1284395121.846 0 10.8.1.100 TCP_DENIED/407 1798 GET
>>>> http://google.com/ - NONE/- text/html
>>>>
>>>> I have added google.com to IE's local intranet zone and gave that
zone
>>>> low priority so I am not sure where the problem lies. Here's my
>>>> configuration:
>>>>
>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-ntlmssp
>>>> --require-membership-of="DOM\\proxyusers"
>>>> auth_param ntlm children 5
>>>> auth_param basic program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-basic
>>>> --require-membership-of="DOM\\proxyusers"
>>>> auth_param basic children 5
>>>> auth_param basic realm Squid proxy-caching web server
>>>> auth_param basic credentialsttl 5 hours
>>>>
>>>> acl NTLMUsers proxy_auth REQUIRED
>>>> http_access allow all NTLMUsers
>>>>
>>>> I can test fine from the squid server:
>>>> [root_at_proxy01a squid]# ntlm_auth --helper-protocol=squid-2.5-basic
>>>> DOM\jmama password
>>>> OK
>>>>
>>>> What am I missing?
>>>
>>> The fact that NTLM has been obsolete for 8 years now? It's encryption
>>> schemes were demonstrated to be decrypted in under 15 minutes with a
>>> standard consumer desktop as of a year or so ago.
>>> Microsoft have declared is deprecated in favor of Kerberos back in the
>>> early stages of Vista and all their newer software attempts to do
>>> Kerberos
>>> instead. IE8 and Windows 7 are known to have NTLM fully disabled by
>>> default, with some hoop-jumping needed to open up those hole again.
>>>
>>> *Please* look at upgrading your network to Negotiate/Kerberos. It's
much
>>> more secure, faster and very much less resource hungry than NTLM.
>>>
>>> Amos
>>>
>>
>
> Clearly I'm not up to par on my authentication technologies. If it's
> that old, why is it still an example on the website? I'll check into
> Kerberos as I use that in other areas for linux/windows
> authentication.
Because IE6 and WinXP servers are dying off so slowly and some people
still need it.
Amos
Received on Wed Sep 15 2010 - 02:43:22 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 15 2010 - 12:00:03 MDT