Re: [squid-users] Squid 3 STABLE 20 & max_challenge_

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 05 Oct 2010 23:08:38 +0000

On Tue, 5 Oct 2010 18:24:44 +0100, Nick Cairncross
<Nick.Cairncross_at_condenast.co.uk> wrote:
> Hi list,
>
> Just checking, but the parameters: 'max_challenge_reuses' and
> 'max_challenge_lifetime' can't be used in 3 Stable 20 and there is no
> equivalent/new directive? I wanted to allow my authenticated users'
> sessions to be re-used for a certain length of time and amount to trim
down
> on repeated authentications.
>
> When added and reconfigured I get:
> 2010/10/05 18:06:50| AuthNTLMConfig::parse: unrecognised ntlm auth
scheme
> parameter 'max_challenge_reuses'
> 2010/10/05 18:06:50| AuthNTLMConfig::parse: unrecognised ntlm auth
scheme
> parameter 'max_challenge_lifetime'
>
> I appreciate the replay threat but I need to find a balance..
> Thanks,
> Nick

The squid challenge-reuse feature was a workaround which unfortunately
enabled credential replay attacks on your clients. This problem has been
fixed upstream by MS along with several other security vulnerabilities and
the result is called "Kerberos".

The proper "session" equivalent in both NTLM and Negotiate/Kerberos is the
lifetime of the TCP link, which depends quite a bit on real HTTP/1.1
support to maintain persistence. We have done a *lot* of work on improving
this lifetime since 2.7. I recommend you try an upgrade to the latest
Squid-3.1 with negotiate protocol configured.

Amos
Received on Tue Oct 05 2010 - 23:08:41 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 06 2010 - 12:00:02 MDT