On 7/12/2015 9:54 a.m., Noel Kelly wrote: > Thanks for this Francesco. I have been experimenting with the various > authenticators without much success. > > I have compiled squid-3.5.11 from source and ntlm_fake_auth doesn't > appear to work. I have scoured the docs and the forums but I can't find > anyone saying it doesn't work. It works if your clients accept a downgrade attack to NTLMv1. > > I have it set up like this in my squid.conf: > > auth_param ntlm program /usr/local/squid/libexec/ntlm_fake_auth -d -v -S > > but I just get denied access whilst sending ADS 2008R2 domain > authentication via Firefox: > > ==> /usr/local/squid/var/logs/access.log <== > 1449434911.652 0 192.168.5.35 TCP_DENIED/407 4473 GET > http://www.bbc.co.uk/ - HIER_NONE/- text/html > > ==> /usr/local/squid/var/logs/cache.log <== > ntlm_fake_auth.cc(163): pid=30933 :Got 'YR' from Squid with data: > [0000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2 NTLMSSP. > ........ > [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ > ........ > [0020] 06 01 B1 1D 00 00 00 0F 00 00 ........ .. > ntlm_fake_auth.cc(185): pid=30933 :sending 'TT' to squid with data: > [0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00 NTLMSSP. > ........ > [0010] AE AA AA AA 07 82 08 A2 E4 9D FA 04 45 14 D1 A5 ........ > ....E... > [0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55 ........ > WORKGROU > [0030] 50 P > That shows the first 407 out of the NTLM handshake being prepared by the helper. Where is the second? > ==> /usr/local/squid/var/logs/access.log <== > 1449434911.660 0 192.168.5.35 TCP_DENIED/407 4640 GET > http://www.bbc.co.uk/ - HIER_NONE/- text/html > 1449434911.706 0 192.168.5.35 TCP_IMS_HIT/304 249 GET > http://tex.uk.plc:8080/squid-internal-static/icons/SN.png - HIER_NONE/- > image/png > 1449434913.266 0 192.168.5.35 TCP_DENIED/407 4473 GET > http://www.bbc.co.uk/ - HIER_NONE/- text/html Either the client is not working correctly, or there are some missing log lines earlier from the client. Note that NTLM auth may take many seconds. NTLM requires two 407 messages to perform its handshake. That cache.log section is showing only the first step where the type-1 token (YR) is being processed and type-2 (TT) generated for delivery to the UA. The access.log is showing what appears to be only the final step, where Squid is rejecting type-3 (KK) token and the UA is displaying the auth-required error page message to the user. If that UA is displaying errors based on the TT token, then it is flat out broken. > > I have tried ntlm_fake_auth.pl.in and ntlm_smb_lm_auth without success > too. SMB LM helper requires a NTLM downgrade attack all the way to plain-text LM auth so Squids' simple helper can decrypt on the fly. It is thankfully getting kind of rare to encounter software which supports LM. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users