RE: [squid-users] Re: ntlm won't prompt

From: Robert Collins <robertc@dont-contact.us>
Date: 12 Jul 2003 08:29:03 +1000

  On Sat, 2003-07-12 at 00:51, Henrik Nordstrom wrote:
> fre 2003-07-11 klockan 15.08 skrev Robert Collins:
>
> > We support nonces, but not client nonces. md5-sess requires client nonce
> > support.
>
> Err.. Squid support client nounces, just not capable of trigger md5-sess
> HHA1 calculation, and lacks an helper interface for md5-sess HA1
> exchanges.

I don't recall coding it up. Let me check... no.
No - we don't provide full cnonce support. We don't support response
auth, nor response auth-integrity. We do put a client nonce into the
HHA1 calculation where appropriate, and squid can create a md5-sess HHA1
although the code is disabled - as you note we don't have a helper
interface for it. (It's a relatively small patch to enable that though).

> > NT Provides Digest for IIS, but under some constraints:
> > * You MUST have an AD Domain
> > * You MUST turn on 'store passwords with reversible encryption' in the
> > AD policies.
>
> Rumor is that the IIS must also be a domain controller, but I have not
> seen this verified.

IIS Doesn't have to be a DC IIRC. I had this setup in a test bed some
time ago.

..
> Correct, except that the nounce creation should be done by the
> OS/Directory for secure MD5-sess exchanges as outlined in my previous
> message. If not the system is vulnerable to cryptographic attacks on the
> MD5-sess exchange. If the OS/Directory can establish full trust on the
> application/server then nounce creation may be left to the
> application/server, but I see no valid reason to why do this.

Uhm, yeah. Chosen nonces would at worst - assuming no sanity checks on
nonce length by the directory, expose MD5(user:realm:password). Having
the client choose the nonce could be useful (say if the client wanted to
use a constant cnonce for memory efficiency - not a compelling reason
though:}), but there is a risk as you say.

Rob

-- 
GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.

Received on Fri Jul 11 2003 - 16:29:13 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:57 MST