Search squid archive

AW: authentication forwarding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hendrik thx for the fast response.

Is any other authentication protocol in the position to manage such an auth. forwarding?

Basic is not acceptable because the pwd is in plain text.

Uwe

-----Ursprüngliche Nachricht-----
Von: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] 
Gesendet: Donnerstag, 21. September 2006 17:00
An: Benner, Uwe
Cc: squid-users@xxxxxxxxxxxxxxx
Betreff: Re:  authentication forwarding

tor 2006-09-21 klockan 13:00 +0200 skrev Benner, Uwe:

> Proxy A and B have to have NTLM authentication.
> 1st case both Proxies are squid
> 2nd case proxy A = squid proxy B = some appliance

Here is a problem... NTLM can not be forwarded beyond the proxy which
performed the NTLM handshake. The protocol is explicitly designed to
prevent this. At most can the authenticated username be forwarded either
as faked Basic authentication with a static password or as a custom
header, but not the NTLM handshake as such.

> 1. Client sends http request for www.xyz.com
> 2. Proxy A denies and sends an request for authentication to the client
> 3. Client sends user/pwd and Proxy A authenticates the user and provides
> OK

Except that there is no password exchange in NTLM, only a cryptographic
one-time hash exchange unique for the authenticating entity.

> Does it work, that proxy B is requesting the authentication from the
> client again?

Only when using basic authentication.

Regards
Henrik



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux