Gerald: Any comment on Paulo's question ? (I am interested in that knowledge too.)
I doubt that NTLM does not need any password. Logically, there must be a way to set up the initial trustful connection between two machines. If not password, what will that be ? Or something like Digital Authentication ? Peter ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "Peter Bi" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 2:36 PM Subject: Re: NTLM module > Am I totally wrong, or the plain and painful answer is > that "NTLM is only supported on Win32 boxes"? I think > I read somewhere that, because the module relies the > Win32 API, it doesn't run on other systems. It even > said something like "...whoever wants to grab some > Samba code and port the module to *nix, please do...". > > Again, this is just "something I guess I think I read > somewhere", so take it with a grain of salt. > > Paulo Meireles > MCSE (and not ashame of it) > ;-) > > -------------------------------------------- > Como Reduzir os Riscos de Segurança da Sua Organização Whitepaper Gratuito sobre Serviços > de Segurança http://www.vianetworks.pt/security/whitepaper_f&s.html > > and ----- Original Message ----- From: "Gerald Richter" <[EMAIL PROTECTED]> To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 8:58 PM Subject: Re: NTLM module > > > > The username/password pair is sent only once to the issuer machine and the > > follow-up authentications are performed using a self-certified, > > time-limited, hash. In fact, it is based on access-control, having nothing > > to do with Basic Authentication. This is discussed in detail in the Eagle > > book. I am not sure if NTLM is even better but for most applications, it > is > > pretty secure. > > > > NTLM is a bit more secure, but also this is not the point here. NTLM auth > doesn't require you to enter your password at all. I don't argue that NTLM > is better, it just fits better in some intranet situations, because the user > doesn't have to type in the username/password. > > It's seems that I was not clear enough. The only thing I say is that under > the precondition you want to use NTLM client authetication, you can't use > the way your module verifies the password. > > Gerald > > ------------------------------------------------------------- > Gerald Richter ecos electronic communication services gmbh > Internetconnect * Webserver/-design/-datenbanken * Consulting > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > WWW: http://www.ecos.de Fax: +49 6133 925152 > ------------------------------------------------------------- > > > Peter > > > > ----- Original Message ----- > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" > > <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, August 13, 2002 12:29 PM > > Subject: Re: NTLM module > > > > > > > > > > > > if you check the source of the Smb implemenation of the module, you > > would > > > > see that it performs basically the same function as NTLM. I agree with > > you > > > > that it does not fit the Microsoft definition of NTLM, so it is not a > > NTLM > > > > implementation. If ones purpose is to pass the protection by providing > a > > > > valid username/password pair in a NT domain, then one does not have to > > > > follow that definition and the current Smb implementation is one of > the > > > > possible solutions. > > > > > > > > > > The point is not how the password is passed to the nt server, the point > is > > > how the browser and the web server exchange the credenticals. With basic > > > auth and with your module the user enters a username and a password and > > you > > > use different backends to verify this. With NTLM authentication the > > Internet > > > Exploerer and the Web server uses a challange-response procdure to > > exchange > > > credenticals (and IE does this without asking the user, so you get > logged > > on > > > with your windows username, which safes the user some extra typing). > They > > > never send the password over the wire, so you don't have a password to > > > send/verify to your backend. > > > > > > What you talking about is the verification of the password between the > web > > > server and the nt domain controller, thats something different. > > > > > > Gerald > > > > > > > > > > > > > > Peter > > > > > > > > ----- Original Message ----- > > > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > > > To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" > > > > <[EMAIL PROTECTED]> > > > > Cc: <[EMAIL PROTECTED]> > > > > Sent: Tuesday, August 13, 2002 12:53 AM > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > > > > > > > > > You may check Apache::Access module at http://modperl.home.att.net > > in > > > > > which > > > > > > I tried to provide a general solution to several popular > > > authentication > > > > > > issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. > > > > > > > > > > > > > > > > I think you missed the point (or I missunderstood your module): The > > > > problem > > > > > is not doing the authentication against whatever, but doing NTLM > > > > > authetication. With NTLM auth you don't get a password from the > > client, > > > so > > > > > how would compare the password that you don't have against "SMB, > LDAP, > > > > IMAP, > > > > > NIS, FTP, LWP and DBI etc." ? > > > > > > > > > > The only solution is to reimplement the challage/response that NTLM > > > does. > > > > > (The module Authen::Perl::NTLM maybe helpfull here). To do this you > > need > > > > > either the password in clear text to compute the nt password hash (a > > > sort > > > > of > > > > > md4 hash) or the precomputed nt password hash. You won't have this > > with > > > > > LDAP, IMAP, NIS, FTP, LWP and DBI etc.... > > > > > > > > > > Gerald > > > > > > > > > > ------------------------------------------------------------- > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > Cheers. > > > > > > > > > > > > > > > > > > Peter Bi > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > > > > > To: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > > > > Cc: <[EMAIL PROTECTED]> > > > > > > Sent: Monday, August 12, 2002 9:12 PM > > > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > > > > > > > > > > > >According to the documentation, if you set NTMLauthoritative to > > > off, > > > > > > > >then if NTLM authorization fails, then it should pass it on to > > the > > > > > lower > > > > > > > >level modules. > > > > > > > > > > > > > > Yes, that's true and it works like you describe it. The point > that > > > you > > > > > are > > > > > > > missing is (and that I have tried to show in my last mail), that > > > > during > > > > > > NTLM > > > > > > > authentication there is no password! NTLM never passes the > > password > > > to > > > > > the > > > > > > > server, so also the control gets passed to the lower level > module, > > > > this > > > > > > > lower level module must be able to handle NTLM. The default > Apache > > > > auth > > > > > > > handler isn't able to do so. It expects a password, which it > > doesn't > > > > > gets > > > > > > > because the client never has send it. > > > > > > > > > > > > > > Hope it's a little bit more clear now > > > > > > > > > > > > > > Gerald > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > I have cut out the below section from the doco which > > > > > > > relates to the above functionality : > > > > > > > " > > > > > > > =head2 PerlSetVar ntlmauthoritative > > > > > > > > > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' > allows > > > > > > > authentication > > > > > > > to be passed on to lower level modules if AuthenNTLM cannot > > > > autheticate > > > > > > > the userand the NTLM authentication scheme is used. > > > > > > > If set to 'on', which is the default, AuthenNTLM will try to > > verify > > > > the > > > > > > > user andif it fails will give an Authorization Required reply. > > > > > > > > > > > > > > =head2 PerlSetVar basicauthoritative > > > > > > > > > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' > allows > > > > > > > authentication > > > > > > > to be passed on to lower level modules if AuthenNTLM cannot > > > > autheticate > > > > > > > the userand the Basic authentication scheme is used. > > > > > > > If set to 'on', which is the default, AuthenNTLM will try to > > verify > > > > the > > > > > > > user andif it fails will give an Authorization Required reply. > > > > > > > " > > > > > > > > > > > > > > > > > > > > > > > > > > > > From the above description, I am hoping for the following events > > to > > > > take > > > > > > > place > > > > > > > > > > > > > > > > > > > > > - ntlm authentication (if fail this level go to next > > > > authentication) > > > > > > > > > > > > > > - basic authentication (if fails this level go to other > > > > > > > authentication systems) > > > > > > > > > > > > > > - read passwords in htpasswd file ( if this fails, then > access > > > not > > > > > > > granted) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To enable the following behaviour, I have included the following > > > > > > > directives in httpd.conf. > > > > > > > > > > > > > > - ntlmauthoritative off > > > > > > > - basicauthoritative off > > > > > > > > > > > > > > > > > > > > > I have also taken out the basic authentication to see if this > > works > > > ie > > > > > > > > > > > > > > Authtype ntlm (not basic) > > > > > > > > > > > > > > But this still does fail & allow the htpasswd system to verify > > > access. > > > > > > > > > > > > > > > > > > > > > > > > > > > > If there are changes that need to be made to the AuthenNTLM.pm, > I > > > am > > > > > > > not very well read in this area - are there any goof references. > > > > > > > > > > > > > > From my novice perspective, it appears that when NTLM is > included > > as > > > > > > > part of the authentication, the ability for normal modules to > > verify > > > > > > > access (ie htpasswd file) is no longer available ie the perl > > module > > > > does > > > > > > > not pass back what the standard modules are expecting. > > > > > > > > > > > > > > I am sorry to be a bit unclear in my analysis, but I am fairly > new > > > to > > > > > > > apache & perl modules. > > > > > > > > > > > > > > > > > > > > > Many Thanks > > > > > > > > > > > > > > > > > > > > > Adam > > > > > > > > > > > > > > > > > > > > > original email attached > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Gerald Richter [mailto:[EMAIL PROTECTED]] > > > > > > > Sent: Monday, 12 August 2002 5:35 PM > > > > > > > To: Kaye-Smith Adam; [EMAIL PROTECTED] > > > > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > > > > > To: <[EMAIL PROTECTED]> > > > > > > > Sent: Monday, August 12, 2002 4:51 AM > > > > > > > Subject: NTLM module > > > > > > > > > > > > > > > > > > > > > Hello , > > > > > > > > > > > > > > > > > > > > > >When I enter in an NT password it all works ok but when I use a > > > > > > > >user/pass from the htpasswd file, the only way it will work is > > that > > > I > > > > > > > >change the above line to > > > > > > > > > > > > > > > >AuthType Basic instead of > > > > > > > >AuthType ntlm,Basic. > > > > > > > > > > > > > > > > > > > > > > > >With this change I can access passwords in htpasswd & also > > > > authenticate > > > > > > > >from an NT server but I can no longer use NTLM. > > > > > > > > > > > > > > The problem is that Basic authentication requires a password > from > > > the > > > > > > > client > > > > > > > which can be compared against your password file. In case of > NTLM > > > > auth, > > > > > > > there is no password ever send over the wire, so Apache doesn't > > have > > > > > > > anything which it can compare against it's passwd file. > > > > > > > > > > > > > > The solution would be to derive a class from AuthenNTLM and do > the > > > > > > > computation of the challage and response based on the secrets in > > the > > > > > > > passwd > > > > > > > file (you would need to store MD4 hashs of your passwords > > > somewhere). > > > > > > > There > > > > > > > is a module called Perl::AuthenNTLM which may be helpfull in > doing > > > > this > > > > > > > task. > > > > > > > > > > > > > > Gerald > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ************************************************************************ > > > > > > > The information in this e-mail together with any attachments is > > > > > > > intended only for the person or entity to which it is addressed > > > > > > > and may contain confidential and/or privileged material. > > > > > > > > > > > > > > Any form of review, disclosure, modification, distribution > > > > > > > and/or publication of this e-mail message is prohibited. > > > > > > > > > > > > > > If you have received this message in error, you are asked to > > > > > > > inform the sender as quickly as possible and delete this message > > > > > > > and any copies of this message from your computer and/or your > > > > > > > computer system network. > > > > > > > > > > > > ************************************************************************ > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
