sön 2006-07-23 klockan 12:21 -0300 skrev Tiago Quadra: > I read that with both NTLM auth, for each request I will have TWO DENIED > before the authentication processor starts. What is the impact on > performance comparing to a solution using SASL/Shadow of NCSA? Somewhat noticeable performance penalty visible to the users. And also quite noticeable performance penalty on the proxy as during this handshake a helper process is reserved for this user so you need quite a bit of ntlm helpers configured.. > I'm also concerned about security, with the clients Windows AD password > been sent to the proxy server. The NTLM authentication process (with > negotiation) does need to send the password? The NTLM authentication echanges Microsoft family of hashes, not plain text. > I tried to read about it > but I didn't understand it very well. If it's been send, with tcpdump I > notice that it's not in clear text, but if so, what is the strength of > the crypto used? How easy will it be for someone to break it? With the old SMB based helper shipped with Squid only MS-LANMAN hashes is supported, which is considered pretty weak and most passwords can be reversed with little effort. With the Samba provided helper NTLMv2 is supported in right configurations, which is considered pretty strong. But it should be noted that NTLM authentication is somewhat vulnerable to man-in-the-middle downgrading the authentication support, meaning that a man-in-the-middle attack can downgrade the authentication exchange to MS-LANMAN is this is accepted by your domain policy, even if NTLMv2 would normally be selected. This concern also applies to most Microsoft protocols / network applications using NTLM authentication. > Which ntlm_auth will be best concerning performance and security? The helper from Samba. The one shipped with Squid is not by far as good, and should be seen as a lazy method useful only if joining the domain is not an option. > What about a KERBEROS/GSSAPI/SSPI helper for squid on Linux? Squid-2.6 + Samba-4 technology preview release has what you need, but you will need MSIE 7 to be able to use this in proxy authentication (MSIE 6 only supports this to web servers, not proxies... nobody outside Microsoft understands why). Firefox also supports this. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
