RE: [squid-users] Re: ntlm won't prompt

From: Robert Collins <robertc@dont-contact.us>
Date: 11 Jul 2003 22:44:45 +1000

On Fri, 2003-07-11 at 22:26, Adam Aube wrote:

> Yes, NTLM is horribly broken - just like almost everything developed by
> Microsoft. The only reason I recommend it is because of the single sign
> on capability it offers, that both basic and digest do not offer.

SSO is -not- a property of NTLM. It's a property of the OS and the
browser. It's fully possible to do SSO with basic (bad because of
password leak issues) and Digest (quite easy, using MD5-sess).

> > The exact same thing (automatic single sign on, without risking the
> > users private password) is fully possible to do with Digest MD5-sess
> > authentication, and I wish browser and OS vendors would see the light
> > and do so.
>
> You're right - the integration shouldn't be too difficult either. There
> would have to be some standard for the realm string (DNS domain name would
> be a good pick), and the OS would have to store MD5(username:realm:password)
> in its password database.

The realm is specific to the proxy configuration - but within an
enterprise it can be set yes. In fact Kerberos realms might be a good
one to choose, if an organisation already has kerberos deployed.
As far as whats stored, there are several options, but the key though is
for the browser to be able to request a ticket:
HHA1 = GetTicketForProxy(ProxyNonce, BrowserNonce);

which would return a one-time ticket, unable to be used for attacking
the password.

> It's just an issue of getting the vendors to support it - the OS vendors
> would have to support it first. AFAIK, even Linux doesn't support it.

It's not even an OS issue. It's pretty straight forward: Pick a
directory service. Extend it with a call like the above, syncronised
with password changes. Then, add some glue to mozilla to use that call
in preference to prompting the user.

Voila.

If someone hacks up such a solution, open source (and works to get it
accepted by the maintainers of the relevant packages), I will contribute
md5-sess support to squid.

> What about wrapping basic auth in SSL?

This is also possible, squid supports this, but no browsers do. Also, as
the browser would get the password, it /does/ lead to password
compromise risks that the digest approach doesn't.

Rob

-- 
GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.

Received on Fri Jul 11 2003 - 06:44:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:56 MST