On Tue, 5 Oct 2010 18:24:44 +0100, Nick Cairncross <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote: > Hi list, > > Just checking, but the parameters: 'max_challenge_reuses' and > 'max_challenge_lifetime' can't be used in 3 Stable 20 and there is no > equivalent/new directive? I wanted to allow my authenticated users' > sessions to be re-used for a certain length of time and amount to trim down > on repeated authentications. > > When added and reconfigured I get: > 2010/10/05 18:06:50| AuthNTLMConfig::parse: unrecognised ntlm auth scheme > parameter 'max_challenge_reuses' > 2010/10/05 18:06:50| AuthNTLMConfig::parse: unrecognised ntlm auth scheme > parameter 'max_challenge_lifetime' > > I appreciate the replay threat but I need to find a balance.. > Thanks, > Nick The squid challenge-reuse feature was a workaround which unfortunately enabled credential replay attacks on your clients. This problem has been fixed upstream by MS along with several other security vulnerabilities and the result is called "Kerberos". The proper "session" equivalent in both NTLM and Negotiate/Kerberos is the lifetime of the TCP link, which depends quite a bit on real HTTP/1.1 support to maintain persistence. We have done a *lot* of work on improving this lifetime since 2.7. I recommend you try an upgrade to the latest Squid-3.1 with negotiate protocol configured. Amos
