Hello all,
I believe I have narrowed the problems down but still do not know how to
fix it.
when i have Authtype ntlm,basic in httpd.conf and I attempt to use a
username/password that is in htpasswd file I will not be able to be
authenticated & I receive the following error message in
/var/log/http/error.log
[Thu Aug 15 15:28:53 2002] [crit] [client 131.242.91.200] configuration
error: couldn't check user. No user file?: /
However when I use Authtype basic in httpd.conf & follow same process I
do not get the above error message in log & I can get authenticated &
bring up the web page.
My only explanation is that when authtype is ntlm,basic then the
directive in httpd.conf file of AuthUserFile /tmp/htpasswd somehow gets
overlooked.
my other directives are as follows:
PerlAuthenHandler Apache::AuthenNTLM
AuthName "Warning you are entering a development server!! (and"
AuthType ntlm,basic
PerlAddVar ntdomain "LANDS zeta"
PerlSetVar ntlmauthoritative off
PerlSetVar basicauthoritative off
PerlSetVar defaultdomain LANDS
PerlSetVar ntlmdebug 1
AuthUserFile /tmp/htpasswd
require valid-user
I do not believe that the password is somehow undetectable to the
authentication module whethor I use authtype ntlm,basic or authtype
basic. This is because I have been able to print the username & password
variables in the AuthenNTLM perl module & this comes out to the error
log on both occasions correctly.
I have changed the perl to the following in the handler sub.
elsif ($type == -1)
{
my $nonce = $self -> get_nonce ($r) ;
if (!$nonce)
{
$r->log_reason("Cannot get nonce for " . $r->uri) ;
return SERVER_ERROR ;
}
print STDERR "just before verify user (2nd) \n\n";
if (!$self -> verify_user ($r))
{
print STDERR "could not verify user \n\n ";
print STDERR "no verify Username is $self->{username}
\n\n";
print STDERR "no verify Userpass is $self->{password}
\n\n";
return $self ->
{basicauthoritative}?AUTH_REQUIRED:DECLINED ;
print STDERR "is this sent\n\n";
}
in error log I get the following on both occasions:
AuthenNTLM: rc = 3 ntlmhash =
could not verify user
no verify Username is adamk
no verify Userpass is test
Any ideas.
Regards
Adam
-----Original Message-----
From: Peter Bi [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 14 August 2002 2:41 PM
To: Gerald Richter; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: NTLM module
Gerald:
Any comment on Paulo's question ? (I am interested in that knowledge
too.)
I doubt that NTLM does not need any password. Logically, there must be a
way
to set up the initial trustful connection between two machines. If not
password, what will that be ? Or something like Digital Authentication ?
Peter
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "Peter Bi" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, August 13, 2002 2:36 PM
Subject: Re: NTLM module
> Am I totally wrong, or the plain and painful answer is
> that "NTLM is only supported on Win32 boxes"? I think
> I read somewhere that, because the module relies the
> Win32 API, it doesn't run on other systems. It even
> said something like "...whoever wants to grab some
> Samba code and port the module to *nix, please do...".
>
> Again, this is just "something I guess I think I read
> somewhere", so take it with a grain of salt.
>
> Paulo Meireles
> MCSE (and not ashame of it)
> ;-)
>
> --------------------------------------------
> Como Reduzir os Riscos de Segurança da Sua Organização Whitepaper
Gratuito
sobre Serviços
> de Segurança http://www.vianetworks.pt/security/whitepaper_f&s.html
>
>
and
----- Original Message -----
From: "Gerald Richter" <[EMAIL PROTECTED]>
To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, August 13, 2002 8:58 PM
Subject: Re: NTLM module
>
>
> > The username/password pair is sent only once to the issuer machine
and
the
> > follow-up authentications are performed using a self-certified,
> > time-limited, hash. In fact, it is based on access-control, having
nothing
> > to do with Basic Authentication. This is discussed in detail in the
Eagle
> > book. I am not sure if NTLM is even better but for most
applications, it
> is
> > pretty secure.
> >
>
> NTLM is a bit more secure, but also this is not the point here. NTLM
auth
> doesn't require you to enter your password at all. I don't argue that
NTLM
> is better, it just fits better in some intranet situations, because
the
user
> doesn't have to type in the username/password.
>
> It's seems that I was not clear enough. The only thing I say is that
under
> the precondition you want to use NTLM client authetication, you can't
use
> the way your module verifies the password.
>
> Gerald
>
> -------------------------------------------------------------
> Gerald Richter ecos electronic communication services gmbh
> Internetconnect * Webserver/-design/-datenbanken * Consulting
>
> Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
> E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131
> WWW: http://www.ecos.de Fax: +49 6133 925152
> -------------------------------------------------------------
>
> > Peter
> >
> > ----- Original Message -----
> > From: "Gerald Richter" <[EMAIL PROTECTED]>
> > To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam"
> > <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Tuesday, August 13, 2002 12:29 PM
> > Subject: Re: NTLM module
> >
> >
> > > >
> > > > if you check the source of the Smb implemenation of the module,
you
> > would
> > > > see that it performs basically the same function as NTLM. I
agree
with
> > you
> > > > that it does not fit the Microsoft definition of NTLM, so it is
not
a
> > NTLM
> > > > implementation. If ones purpose is to pass the protection by
providing
> a
> > > > valid username/password pair in a NT domain, then one does not
have
to
> > > > follow that definition and the current Smb implementation is one
of
> the
> > > > possible solutions.
> > > >
> > >
> > > The point is not how the password is passed to the nt server, the
point
> is
> > > how the browser and the web server exchange the credenticals. With
basic
> > > auth and with your module the user enters a username and a
password
and
> > you
> > > use different backends to verify this. With NTLM authentication
the
> > Internet
> > > Exploerer and the Web server uses a challange-response procdure to
> > exchange
> > > credenticals (and IE does this without asking the user, so you get
> logged
> > on
> > > with your windows username, which safes the user some extra
typing).
> They
> > > never send the password over the wire, so you don't have a
password to
> > > send/verify to your backend.
> > >
> > > What you talking about is the verification of the password between
the
> web
> > > server and the nt domain controller, thats something different.
> > >
> > > Gerald
> > >
> > >
> > > >
> > > > Peter
> > > >
> > > > ----- Original Message -----
> > > > From: "Gerald Richter" <[EMAIL PROTECTED]>
> > > > To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam"
> > > > <[EMAIL PROTECTED]>
> > > > Cc: <[EMAIL PROTECTED]>
> > > > Sent: Tuesday, August 13, 2002 12:53 AM
> > > > Subject: Re: NTLM module
> > > >
> > > >
> > > > >
> > > > >
> > > > > > You may check Apache::Access module at
http://modperl.home.att.net
> > in
> > > > > which
> > > > > > I tried to provide a general solution to several popular
> > > authentication
> > > > > > issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc.
> > > > > >
> > > > >
> > > > > I think you missed the point (or I missunderstood your
module):
The
> > > > problem
> > > > > is not doing the authentication against whatever, but doing
NTLM
> > > > > authetication. With NTLM auth you don't get a password from
the
> > client,
> > > so
> > > > > how would compare the password that you don't have against
"SMB,
> LDAP,
> > > > IMAP,
> > > > > NIS, FTP, LWP and DBI etc." ?
> > > > >
> > > > > The only solution is to reimplement the challage/response that
NTLM
> > > does.
> > > > > (The module Authen::Perl::NTLM maybe helpfull here). To do
this
you
> > need
> > > > > either the password in clear text to compute the nt password
hash
(a
> > > sort
> > > > of
> > > > > md4 hash) or the precomputed nt password hash. You won't have
this
> > with
> > > > > LDAP, IMAP, NIS, FTP, LWP and DBI etc....
> > > > >
> > > > > Gerald
> > > > >
> > > > > -------------------------------------------------------------
> > > > > Gerald Richter ecos electronic communication services gmbh
> > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting
> > > > >
> > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
> > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131
> > > > > WWW: http://www.ecos.de Fax: +49 6133 925152
> > > > > -------------------------------------------------------------
> > > > >
> > > > >
> > > > > > Cheers.
> > > > > >
> > > > > >
> > > > > > Peter Bi
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Gerald Richter" <[EMAIL PROTECTED]>
> > > > > > To: "Kaye-Smith Adam" <[EMAIL PROTECTED]>
> > > > > > Cc: <[EMAIL PROTECTED]>
> > > > > > Sent: Monday, August 12, 2002 9:12 PM
> > > > > > Subject: Re: NTLM module
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > >According to the documentation, if you set
NTMLauthoritative
to
> > > off,
> > > > > > > >then if NTLM authorization fails, then it should pass it
on
to
> > the
> > > > > lower
> > > > > > > >level modules.
> > > > > > >
> > > > > > > Yes, that's true and it works like you describe it. The
point
> that
> > > you
> > > > > are
> > > > > > > missing is (and that I have tried to show in my last
mail),
that
> > > > during
> > > > > > NTLM
> > > > > > > authentication there is no password! NTLM never passes the
> > password
> > > to
> > > > > the
> > > > > > > server, so also the control gets passed to the lower level
> module,
> > > > this
> > > > > > > lower level module must be able to handle NTLM. The
default
> Apache
> > > > auth
> > > > > > > handler isn't able to do so. It expects a password, which
it
> > doesn't
> > > > > gets
> > > > > > > because the client never has send it.
> > > > > > >
> > > > > > > Hope it's a little bit more clear now
> > > > > > >
> > > > > > > Gerald
> > > > > > >
> > > > > > >
-------------------------------------------------------------
> > > > > > > Gerald Richter ecos electronic communication services
gmbh
> > > > > > > Internetconnect * Webserver/-design/-datenbanken *
Consulting
> > > > > > >
> > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b.
Mainz
> > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133
925131
> > > > > > > WWW: http://www.ecos.de Fax: +49 6133
925152
> > > > > > >
-------------------------------------------------------------
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I have cut out the below section from the doco which
> > > > > > > relates to the above functionality :
> > > > > > > "
> > > > > > > =head2 PerlSetVar ntlmauthoritative
> > > > > > >
> > > > > > > Setting the ntlmauthoritative directive explicitly to
'off'
> allows
> > > > > > > authentication
> > > > > > > to be passed on to lower level modules if AuthenNTLM
cannot
> > > > autheticate
> > > > > > > the userand the NTLM authentication scheme is used.
> > > > > > > If set to 'on', which is the default, AuthenNTLM will try
to
> > verify
> > > > the
> > > > > > > user andif it fails will give an Authorization Required
reply.
> > > > > > >
> > > > > > > =head2 PerlSetVar basicauthoritative
> > > > > > >
> > > > > > > Setting the ntlmauthoritative directive explicitly to
'off'
> allows
> > > > > > > authentication
> > > > > > > to be passed on to lower level modules if AuthenNTLM
cannot
> > > > autheticate
> > > > > > > the userand the Basic authentication scheme is used.
> > > > > > > If set to 'on', which is the default, AuthenNTLM will try
to
> > verify
> > > > the
> > > > > > > user andif it fails will give an Authorization Required
reply.
> > > > > > > "
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > From the above description, I am hoping for the following
events
> > to
> > > > take
> > > > > > > place
> > > > > > >
> > > > > > >
> > > > > > > - ntlm authentication (if fail this level go to next
> > > > authentication)
> > > > > > >
> > > > > > > - basic authentication (if fails this level go to other
> > > > > > > authentication systems)
> > > > > > >
> > > > > > > - read passwords in htpasswd file ( if this fails, then
> access
> > > not
> > > > > > > granted)
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > To enable the following behaviour, I have included the
following
> > > > > > > directives in httpd.conf.
> > > > > > >
> > > > > > > - ntlmauthoritative off
> > > > > > > - basicauthoritative off
> > > > > > >
> > > > > > >
> > > > > > > I have also taken out the basic authentication to see if
this
> > works
> > > ie
> > > > > > >
> > > > > > > Authtype ntlm (not basic)
> > > > > > >
> > > > > > > But this still does fail & allow the htpasswd system to
verify
> > > access.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > If there are changes that need to be made to the
AuthenNTLM.pm,
> I
> > > am
> > > > > > > not very well read in this area - are there any goof
references.
> > > > > > >
> > > > > > > From my novice perspective, it appears that when NTLM is
> included
> > as
> > > > > > > part of the authentication, the ability for normal modules
to
> > verify
> > > > > > > access (ie htpasswd file) is no longer available ie the
perl
> > module
> > > > does
> > > > > > > not pass back what the standard modules are expecting.
> > > > > > >
> > > > > > > I am sorry to be a bit unclear in my analysis, but I am
fairly
> new
> > > to
> > > > > > > apache & perl modules.
> > > > > > >
> > > > > > >
> > > > > > > Many Thanks
> > > > > > >
> > > > > > >
> > > > > > > Adam
> > > > > > >
> > > > > > >
> > > > > > > original email attached
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Gerald Richter [mailto:[EMAIL PROTECTED]]
> > > > > > > Sent: Monday, 12 August 2002 5:35 PM
> > > > > > > To: Kaye-Smith Adam; [EMAIL PROTECTED]
> > > > > > > Subject: Re: NTLM module
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Kaye-Smith Adam" <[EMAIL PROTECTED]>
> > > > > > > To: <[EMAIL PROTECTED]>
> > > > > > > Sent: Monday, August 12, 2002 4:51 AM
> > > > > > > Subject: NTLM module
> > > > > > >
> > > > > > >
> > > > > > > Hello ,
> > > > > > >
> > > > > > >
> > > > > > > >When I enter in an NT password it all works ok but when I
use
a
> > > > > > > >user/pass from the htpasswd file, the only way it will
work
is
> > that
> > > I
> > > > > > > >change the above line to
> > > > > > > >
> > > > > > > >AuthType Basic instead of
> > > > > > > >AuthType ntlm,Basic.
> > > > > > > >
> > > > > > > >
> > > > > > > >With this change I can access passwords in htpasswd &
also
> > > > authenticate
> > > > > > > >from an NT server but I can no longer use NTLM.
> > > > > > >
> > > > > > > The problem is that Basic authentication requires a
password
> from
> > > the
> > > > > > > client
> > > > > > > which can be compared against your password file. In case
of
> NTLM
> > > > auth,
> > > > > > > there is no password ever send over the wire, so Apache
doesn't
> > have
> > > > > > > anything which it can compare against it's passwd file.
> > > > > > >
> > > > > > > The solution would be to derive a class from AuthenNTLM
and do
> the
> > > > > > > computation of the challage and response based on the
secrets
in
> > the
> > > > > > > passwd
> > > > > > > file (you would need to store MD4 hashs of your passwords
> > > somewhere).
> > > > > > > There
> > > > > > > is a module called Perl::AuthenNTLM which may be helpfull
in
> doing
> > > > this
> > > > > > > task.
> > > > > > >
> > > > > > > Gerald
> > > > > > >
> > > > > > >
> > > > > > >
-------------------------------------------------------------
> > > > > > > Gerald Richter ecos electronic communication services
gmbh
> > > > > > > Internetconnect * Webserver/-design/-datenbanken *
Consulting
> > > > > > >
> > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b.
Mainz
> > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133
925131
> > > > > > > WWW: http://www.ecos.de Fax: +49 6133
925152
> > > > > > >
-------------------------------------------------------------
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > >
>
************************************************************************
> > > > > > > The information in this e-mail together with any
attachments
is
> > > > > > > intended only for the person or entity to which it is
addressed
> > > > > > > and may contain confidential and/or privileged material.
> > > > > > >
> > > > > > > Any form of review, disclosure, modification, distribution
> > > > > > > and/or publication of this e-mail message is prohibited.
> > > > > > >
> > > > > > > If you have received this message in error, you are asked
to
> > > > > > > inform the sender as quickly as possible and delete this
message
> > > > > > > and any copies of this message from your computer and/or
your
> > > > > > > computer system network.
> > > > > > >
> > > >
>
************************************************************************
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
-------------------------------------------------------------
> > > > > > > Gerald Richter ecos electronic communication services
gmbh
> > > > > > > Internetconnect * Webserver/-design/-datenbanken *
Consulting
> > > > > > >
> > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b.
Mainz
> > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133
925131
> > > > > > > WWW: http://www.ecos.de Fax: +49 6133
925152
> > > > > > >
-------------------------------------------------------------
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>
************************************************************************
The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.
************************************************************************
