Re: Windows NTLM authenticator

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 8 Sep 2003 11:39:34 +0200

On Monday 08 September 2003 10.28, Serassio Guido wrote:

> The helper currently don't allow the reuse of a challenge with a
> sort of two state architecture:

A challenge should only be reused if using synthetic challenges and
the current client disconnects before sending the authenticate
packet.

When not using synthetic challenges the situation gets messier as then
the challenge packet depends on the negotiate packet and it becomes
almost impossible to reuse the challenge safely.

Any other reuses of a challenge (i.e. two or more KK for the same TT)
is bending the NTLMSSP protocol and is very likely to fail with any
decent NTLMSSP implementation.

Stupid NTLMSSP implementations such as our old helpers may accept
multiple KK for the same challenge, but you can't rely on this for
real NTLMSSP implemenations as the NTLMSSP does not expect a second
AUTHENTICATE packet.

Now, I am not entirely sure how Windows NTLMSSP acts on failed
authentication, i.e. if it directly returns a new challenge or if an
error is returned.

> if a KK is got with an already used challenge, a BH is generated.

Good. It should.

> It seems that in Squid there is a problem:
> I'm using auth_param ntlm max_challenge_reuses 0, but sometimes I
> get a KK without a YR, the helper sends a BH to squid and Internet
> Explorer pop-ups for authentication.

Anything in cache.log?

I think there is code to force challenge reuse if running low on
helpers..

Regards
Henrik
Received on Mon Sep 08 2003 - 03:39:44 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:40 MST