Re: [squid-users] Re: ntlm won't prompt

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 11 Jul 2003 10:46:39 +0200

On Friday 11 July 2003 05.18, Adam Aube wrote:

> Furthermore, since knowledge of the clear text password is needed
> to verify the digest sent, the password would need to be stored
> either in clear text or reversible encryption - unless I completely
> misunderstand how digest auth works (which is also quite possible).

Digest requires no more knowledge of the password than NTLM does. Both
require direct or indirect access to the secret of the user. Neither
require access to the clear text password but both require access to
something which for each protocol is equivalent to the clear text
password.

> Digest could be improved upon by using a hash of the password
> instead of the password itself. Of course, there's something of a
> chicken- and-egg problem here: proxy and web servers won't support
> it until browsers support it, and browsers won't support it until
> proxy and web servers support it. Additionally, since digest auth
> is an RFC, someone would have to draft another RFC. So even if it
> is a great idea, it can't be implemented quickly (if at all).

There is no problem with the Digest RFC in this respect. All the
needed parts of the Digest protocol is there to build a reasonably
secure system with good performance. What is missing is specification
of integration with passoword directories. The RFC does not define
how such integration is to be done, only what the Digest algorithm
requires from such integration: a limited one-time hash of the users
password (MD5-sess) which can not be decrypted or reused in a replay
attack.

The NTLM authentication method is on the level of Digest MD5
authentication (not MD5-sess), either requiring access to the secret
key of the user or offloading all the processing to the domain
controller. Digest MD5-sess improves on this by allowing the
verification to run locally without requiring direct access to the
users secret key (only a limited one-time hash of the same), greatly
increasing the scaleability of the design.

If you are worried about storing the passwords in plain-text then see
the digest helper in Squid-HEAD. This helper supports storing
passwords in a hashed form only usable on that server using the same
format as Apache htdigest. However, note that the password file must
still be kept secure or else it is possible for a hacker who gain
accesss to the digest password file to fake digest logins to that
server even if he does not known the actual clear text password, much
the same as it is possible for a hacker who have read access to the
NT SAM database or otherwise able to reconstruct the NT# to fake
logins to the NT domain without knowing the acutal clear text
passwords of the users.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Fri Jul 11 2003 - 02:46:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:56 MST