Re: squid 5.2: ntlm_fake_auth refuse to valid credentials

David Touzeau <david@xxxxxxxxxxxxxx> · Thu, 11 Nov 2021 13:16:01 +0100



    Thanks Amos it will help understand something

      
      I think modern browser sending NTLMv2 as the ntlm_fake_auth
      understanding only NTLMv1 ( perhaps )

      
      Using curl with --proxy-ntlm option is OK for squid as using
      browser return allways a 407

      DO you know the limitation of ntlm_fake_auth according NTLM version.

      Is there a way to fix it ?

      
      ************* CURL ************

    
    [0000]  4E 54
      4C 4D 53 53 50 00  01 00 00 00 06 82 08 00  NTLMSSP. ........
    [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
      ........ ........
    ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 
      NTLMSSP. ........
    [0010]  AE AA AA AA 06 82 08 00  15 3A CC 83 0B 80 7B 45 
      ........ .......E
    [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 
      ........ WORKGROU
    [0030]  50                                                  P
    ntlm_fake_auth.cc(170): pid=31874 :Got 'KK' from Squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00 
      NTLMSSP. ........
    [0010]  40 00 00 00 30 00 30 00  58 00 00 00 00 00 00 00 
      ....0.0. X.......
    [0020]  88 00 00 00 04 00 04 00  88 00 00 00 09 00 09 00 
      ........ ........
    [0030]  8C 00 00 00 00 00 00 00  00 00 00 00 06 82 08 00 
      ........ ........
    [0040]  EB C7 B7 11 26 62 FD 82  B0 45 68 62 E0 6C E6 A3 
      .....b.. .Ehb.l..
    [0050]  57 A7 E6 76 1C 7B 79 74  17 71 72 5B 72 38 DA 30 
      W..v..yt .qr.r8.0
    [0060]  06 4D 15 1F 9B D1 A2 A5  01 01 00 00 00 00 00 00 
      .M...... ........
    [0070]  80 38 3C 2A EA D6 D7 01  57 A7 E6 76 1C 7B 79 74 
      .8...... W..v..yt
    [0080]  00 00 00 00 00 00 00 00  74 6F 74 6F 6E 74 6C 6D 
      ........ totontlm
    [0090]  70 72 6F 78 79                                     
      proxy
    ntlmauth.cc(244): pid=31874 :ntlm_unpack_auth: size of 149
    ntlmauth.cc(245): pid=31874 :ntlm_unpack_auth: flg 00088206
    ntlmauth.cc(246): pid=31874 :ntlm_unpack_auth: lmr o(64) l(24)
    ntlmauth.cc(247): pid=31874 :ntlm_unpack_auth: ntr o(88) l(48)
    ntlmauth.cc(248): pid=31874 :ntlm_unpack_auth: dom o(136) l(0)
    ntlmauth.cc(249): pid=31874 :ntlm_unpack_auth: usr o(136) l(4)
    ntlmauth.cc(250): pid=31874 :ntlm_unpack_auth: wst o(140) l(9)
    ntlmauth.cc(251): pid=31874 :ntlm_unpack_auth: key o(0) l(0)
    ntlmauth.cc(257): pid=31874 :ntlm_unpack_auth: Domain 't'
      (len=1).
    ntlmauth.cc(268): pid=31874 :ntlm_unpack_auth: Username
        'toton' (len=5).
    ntlm_fake_auth.cc(210): pid=31874 :sending 'AF toton' to squid
    

    ********* But when connecting any modern browser to squid 
    ***********

    
    [0000]  4E 54
      4C 4D 53 53 50 00  01 00 00 00 07 82 08 A2  NTLMSSP. ........
    [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
      ........ ........
    [0020]  0A 00 63 45 00 00 00 0F                           
      ..cE.... 
    ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 
      NTLMSSP. ........
    [0010]  AE AA AA AA 07 82 08 A2  C9 F0 4C 07 E0 79 9F CF 
      ........ ..L..y..
    [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 
      ........ WORKGROU
    [0030]  50                                                  P
    ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 08 A2 
      NTLMSSP. ........
    [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
      ........ ........
    [0020]  0A 00 63 45 00 00 00 0F                           
      ..cE.... 
    ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 
      NTLMSSP. ........
    [0010]  AE AA AA AA 07 82 08 A2  49 12 A5 8A C8 17 3E 9D 
      ........ I.......
    [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 
      ........ WORKGROU
    [0030]  50                                                  P
    ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 08 A2 
      NTLMSSP. ........
    [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
      ........ ........
    [0020]  0A 00 63 45 00 00 00 0F                           
      ..cE.... 
    ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 
      NTLMSSP. ........
    [0010]  AE AA AA AA 07 82 08 A2  09 6D 48 E6 12 9C 4B 30 
      ........ .mH...K0
    [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 
      ........ WORKGROU
    [0030]  50                                                  P
    ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 08 A2 
      NTLMSSP. ........
    [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
      ........ ........
    [0020]  0A 00 63 45 00 00 00 0F                           
      ..cE.... 
    ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
      data:
    [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 
      NTLMSSP. ........
    [0010]  AE AA AA AA 07 82 08 A2  F5 F6 8C B4 16 B9 20 CD 
      ........ ........
    [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 
      ........ WORKGROU
    

    Le 11/11/2021 à 08:40, Amos Jeffries a
      écrit :

    
    On
      11/11/21 14:12, David Touzeau wrote:
      

      Hi,
        

        i would like to use ntlm_fake_auth but it seems Squid refuse to
        switch to authenticated user and return a 407 to the browser and
        squid never accept  credentials.
        

        What i missing ?
        

        Configuration seems simple:
        

        auth_param ntlm program /lib/squid3/ntlm_fake_auth -v
        

        auth_param ntlm children 20 startup=5 idle=1 concurrency=0
        queue-size=80 on-persistent-overload=ERR
        

        acl AUTHENTICATED proxy_auth REQUIRED
        

        http_access deny  !AUTHENTICATED
        

        Here the debug mode;
        

      The log you presented shows the helper delivering a TT response to
      Squid. Which is NTLM step 2 response token for a 407 challenge
      response.
      

      That is only sent if there were not auth headers received from the
      client - which is correct per your config shown.
      

      The log snippet stops before Squid sends that response to the
      client, so whatever follows is unknown.
      

      Amos
      

      _______________________________________________
      

      squid-users mailing list
      

      squid-users@xxxxxxxxxxxxxxxxxxxxx
      

      http://lists.squid-cache.org/listinfo/squid-users
      

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users