On Tue, Sep 14, 2010 at 1:52 AM, Isaac NickAein <nickaein.i@xxxxxxxxx> wrote: > How about Digest authentication? > > Does digest is as weak as NTLM? > > and another question: > > Is it possible to use Kerberos (actually Negotiate) protocol for squid > user authentication in a network without any Active Directory or > Domain? > > > On 9/14/10, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On Mon, 13 Sep 2010 11:28:13 -0500, Terry <td3201@xxxxxxxxx> wrote: >>> I have a working NTLM implementation in place and it works great from >>> yum and wget for example. However, when I try to use squid from IE8, >>> it prompts for password and I never see the credentials hit squid, >>> just this for example: >>> 1284395121.846 0 10.8.1.100 TCP_DENIED/407 1798 GET >>> http://google.com/ - NONE/- text/html >>> >>> I have added google.com to IE's local intranet zone and gave that zone >>> low priority so I am not sure where the problem lies. Here's my >>> configuration: >>> >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp >>> --require-membership-of="DOM\\proxyusers" >>> auth_param ntlm children 5 >>> auth_param basic program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-basic >>> --require-membership-of="DOM\\proxyusers" >>> auth_param basic children 5 >>> auth_param basic realm Squid proxy-caching web server >>> auth_param basic credentialsttl 5 hours >>> >>> acl NTLMUsers proxy_auth REQUIRED >>> http_access allow all NTLMUsers >>> >>> I can test fine from the squid server: >>> [root@proxy01a squid]# ntlm_auth --helper-protocol=squid-2.5-basic >>> DOM\jmama password >>> OK >>> >>> What am I missing? >> >> The fact that NTLM has been obsolete for 8 years now? It's encryption >> schemes were demonstrated to be decrypted in under 15 minutes with a >> standard consumer desktop as of a year or so ago. >> Microsoft have declared is deprecated in favor of Kerberos back in the >> early stages of Vista and all their newer software attempts to do Kerberos >> instead. IE8 and Windows 7 are known to have NTLM fully disabled by >> default, with some hoop-jumping needed to open up those hole again. >> >> *Please* look at upgrading your network to Negotiate/Kerberos. It's much >> more secure, faster and very much less resource hungry than NTLM. >> >> Amos >> > Clearly I'm not up to par on my authentication technologies. If it's that old, why is it still an example on the website? I'll check into Kerberos as I use that in other areas for linux/windows authentication.
