Hello all,
I believe I have narrowed the problems down but still do not know how to fix it. when i have Authtype ntlm,basic in httpd.conf and I attempt to use a username/password that is in htpasswd file I will not be able to be authenticated & I receive the following error message in /var/log/http/error.log [Thu Aug 15 15:28:53 2002] [crit] [client 131.242.91.200] configuration error: couldn't check user. No user file?: / However when I use Authtype basic in httpd.conf & follow same process I do not get the above error message in log & I can get authenticated & bring up the web page. My only explanation is that when authtype is ntlm,basic then the directive in httpd.conf file of AuthUserFile /tmp/htpasswd somehow gets overlooked. my other directives are as follows: PerlAuthenHandler Apache::AuthenNTLM AuthName "Warning you are entering a development server!! (and" AuthType ntlm,basic PerlAddVar ntdomain "LANDS zeta" PerlSetVar ntlmauthoritative off PerlSetVar basicauthoritative off PerlSetVar defaultdomain LANDS PerlSetVar ntlmdebug 1 AuthUserFile /tmp/htpasswd require valid-user I do not believe that the password is somehow undetectable to the authentication module whethor I use authtype ntlm,basic or authtype basic. This is because I have been able to print the username & password variables in the AuthenNTLM perl module & this comes out to the error log on both occasions correctly. I have changed the perl to the following in the handler sub. elsif ($type == -1) { my $nonce = $self -> get_nonce ($r) ; if (!$nonce) { $r->log_reason("Cannot get nonce for " . $r->uri) ; return SERVER_ERROR ; } print STDERR "just before verify user (2nd) \n\n"; if (!$self -> verify_user ($r)) { print STDERR "could not verify user \n\n "; print STDERR "no verify Username is $self->{username} \n\n"; print STDERR "no verify Userpass is $self->{password} \n\n"; return $self -> {basicauthoritative}?AUTH_REQUIRED:DECLINED ; print STDERR "is this sent\n\n"; } in error log I get the following on both occasions: AuthenNTLM: rc = 3 ntlmhash = could not verify user no verify Username is adamk no verify Userpass is test Any ideas. Regards Adam -----Original Message----- From: Peter Bi [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 14 August 2002 2:41 PM To: Gerald Richter; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: NTLM module Gerald: Any comment on Paulo's question ? (I am interested in that knowledge too.) I doubt that NTLM does not need any password. Logically, there must be a way to set up the initial trustful connection between two machines. If not password, what will that be ? Or something like Digital Authentication ? Peter ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "Peter Bi" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 2:36 PM Subject: Re: NTLM module > Am I totally wrong, or the plain and painful answer is > that "NTLM is only supported on Win32 boxes"? I think > I read somewhere that, because the module relies the > Win32 API, it doesn't run on other systems. It even > said something like "...whoever wants to grab some > Samba code and port the module to *nix, please do...". > > Again, this is just "something I guess I think I read > somewhere", so take it with a grain of salt. > > Paulo Meireles > MCSE (and not ashame of it) > ;-) > > -------------------------------------------- > Como Reduzir os Riscos de Segurança da Sua Organização Whitepaper Gratuito sobre Serviços > de Segurança http://www.vianetworks.pt/security/whitepaper_f&s.html > > and ----- Original Message ----- From: "Gerald Richter" <[EMAIL PROTECTED]> To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 8:58 PM Subject: Re: NTLM module > > > > The username/password pair is sent only once to the issuer machine and the > > follow-up authentications are performed using a self-certified, > > time-limited, hash. In fact, it is based on access-control, having nothing > > to do with Basic Authentication. This is discussed in detail in the Eagle > > book. I am not sure if NTLM is even better but for most applications, it > is > > pretty secure. > > > > NTLM is a bit more secure, but also this is not the point here. NTLM auth > doesn't require you to enter your password at all. I don't argue that NTLM > is better, it just fits better in some intranet situations, because the user > doesn't have to type in the username/password. > > It's seems that I was not clear enough. The only thing I say is that under > the precondition you want to use NTLM client authetication, you can't use > the way your module verifies the password. > > Gerald > > ------------------------------------------------------------- > Gerald Richter ecos electronic communication services gmbh > Internetconnect * Webserver/-design/-datenbanken * Consulting > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > WWW: http://www.ecos.de Fax: +49 6133 925152 > ------------------------------------------------------------- > > > Peter > > > > ----- Original Message ----- > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" > > <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, August 13, 2002 12:29 PM > > Subject: Re: NTLM module > > > > > > > > > > > > if you check the source of the Smb implemenation of the module, you > > would > > > > see that it performs basically the same function as NTLM. I agree with > > you > > > > that it does not fit the Microsoft definition of NTLM, so it is not a > > NTLM > > > > implementation. If ones purpose is to pass the protection by providing > a > > > > valid username/password pair in a NT domain, then one does not have to > > > > follow that definition and the current Smb implementation is one of > the > > > > possible solutions. > > > > > > > > > > The point is not how the password is passed to the nt server, the point > is > > > how the browser and the web server exchange the credenticals. With basic > > > auth and with your module the user enters a username and a password and > > you > > > use different backends to verify this. With NTLM authentication the > > Internet > > > Exploerer and the Web server uses a challange-response procdure to > > exchange > > > credenticals (and IE does this without asking the user, so you get > logged > > on > > > with your windows username, which safes the user some extra typing). > They > > > never send the password over the wire, so you don't have a password to > > > send/verify to your backend. > > > > > > What you talking about is the verification of the password between the > web > > > server and the nt domain controller, thats something different. > > > > > > Gerald > > > > > > > > > > > > > > Peter > > > > > > > > ----- Original Message ----- > > > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > > > To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" > > > > <[EMAIL PROTECTED]> > > > > Cc: <[EMAIL PROTECTED]> > > > > Sent: Tuesday, August 13, 2002 12:53 AM > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > > > > > > > > > You may check Apache::Access module at http://modperl.home.att.net > > in > > > > > which > > > > > > I tried to provide a general solution to several popular > > > authentication > > > > > > issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. > > > > > > > > > > > > > > > > I think you missed the point (or I missunderstood your module): The > > > > problem > > > > > is not doing the authentication against whatever, but doing NTLM > > > > > authetication. With NTLM auth you don't get a password from the > > client, > > > so > > > > > how would compare the password that you don't have against "SMB, > LDAP, > > > > IMAP, > > > > > NIS, FTP, LWP and DBI etc." ? > > > > > > > > > > The only solution is to reimplement the challage/response that NTLM > > > does. > > > > > (The module Authen::Perl::NTLM maybe helpfull here). To do this you > > need > > > > > either the password in clear text to compute the nt password hash (a > > > sort > > > > of > > > > > md4 hash) or the precomputed nt password hash. You won't have this > > with > > > > > LDAP, IMAP, NIS, FTP, LWP and DBI etc.... > > > > > > > > > > Gerald > > > > > > > > > > ------------------------------------------------------------- > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > Cheers. > > > > > > > > > > > > > > > > > > Peter Bi > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > > > > > To: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > > > > Cc: <[EMAIL PROTECTED]> > > > > > > Sent: Monday, August 12, 2002 9:12 PM > > > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > > > > > > > > > > > >According to the documentation, if you set NTMLauthoritative to > > > off, > > > > > > > >then if NTLM authorization fails, then it should pass it on to > > the > > > > > lower > > > > > > > >level modules. > > > > > > > > > > > > > > Yes, that's true and it works like you describe it. The point > that > > > you > > > > > are > > > > > > > missing is (and that I have tried to show in my last mail), that > > > > during > > > > > > NTLM > > > > > > > authentication there is no password! NTLM never passes the > > password > > > to > > > > > the > > > > > > > server, so also the control gets passed to the lower level > module, > > > > this > > > > > > > lower level module must be able to handle NTLM. The default > Apache > > > > auth > > > > > > > handler isn't able to do so. It expects a password, which it > > doesn't > > > > > gets > > > > > > > because the client never has send it. > > > > > > > > > > > > > > Hope it's a little bit more clear now > > > > > > > > > > > > > > Gerald > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > I have cut out the below section from the doco which > > > > > > > relates to the above functionality : > > > > > > > " > > > > > > > =head2 PerlSetVar ntlmauthoritative > > > > > > > > > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' > allows > > > > > > > authentication > > > > > > > to be passed on to lower level modules if AuthenNTLM cannot > > > > autheticate > > > > > > > the userand the NTLM authentication scheme is used. > > > > > > > If set to 'on', which is the default, AuthenNTLM will try to > > verify > > > > the > > > > > > > user andif it fails will give an Authorization Required reply. > > > > > > > > > > > > > > =head2 PerlSetVar basicauthoritative > > > > > > > > > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' > allows > > > > > > > authentication > > > > > > > to be passed on to lower level modules if AuthenNTLM cannot > > > > autheticate > > > > > > > the userand the Basic authentication scheme is used. > > > > > > > If set to 'on', which is the default, AuthenNTLM will try to > > verify > > > > the > > > > > > > user andif it fails will give an Authorization Required reply. > > > > > > > " > > > > > > > > > > > > > > > > > > > > > > > > > > > > From the above description, I am hoping for the following events > > to > > > > take > > > > > > > place > > > > > > > > > > > > > > > > > > > > > - ntlm authentication (if fail this level go to next > > > > authentication) > > > > > > > > > > > > > > - basic authentication (if fails this level go to other > > > > > > > authentication systems) > > > > > > > > > > > > > > - read passwords in htpasswd file ( if this fails, then > access > > > not > > > > > > > granted) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To enable the following behaviour, I have included the following > > > > > > > directives in httpd.conf. > > > > > > > > > > > > > > - ntlmauthoritative off > > > > > > > - basicauthoritative off > > > > > > > > > > > > > > > > > > > > > I have also taken out the basic authentication to see if this > > works > > > ie > > > > > > > > > > > > > > Authtype ntlm (not basic) > > > > > > > > > > > > > > But this still does fail & allow the htpasswd system to verify > > > access. > > > > > > > > > > > > > > > > > > > > > > > > > > > > If there are changes that need to be made to the AuthenNTLM.pm, > I > > > am > > > > > > > not very well read in this area - are there any goof references. > > > > > > > > > > > > > > From my novice perspective, it appears that when NTLM is > included > > as > > > > > > > part of the authentication, the ability for normal modules to > > verify > > > > > > > access (ie htpasswd file) is no longer available ie the perl > > module > > > > does > > > > > > > not pass back what the standard modules are expecting. > > > > > > > > > > > > > > I am sorry to be a bit unclear in my analysis, but I am fairly > new > > > to > > > > > > > apache & perl modules. > > > > > > > > > > > > > > > > > > > > > Many Thanks > > > > > > > > > > > > > > > > > > > > > Adam > > > > > > > > > > > > > > > > > > > > > original email attached > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Gerald Richter [mailto:[EMAIL PROTECTED]] > > > > > > > Sent: Monday, 12 August 2002 5:35 PM > > > > > > > To: Kaye-Smith Adam; [EMAIL PROTECTED] > > > > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > > > > > To: <[EMAIL PROTECTED]> > > > > > > > Sent: Monday, August 12, 2002 4:51 AM > > > > > > > Subject: NTLM module > > > > > > > > > > > > > > > > > > > > > Hello , > > > > > > > > > > > > > > > > > > > > > >When I enter in an NT password it all works ok but when I use a > > > > > > > >user/pass from the htpasswd file, the only way it will work is > > that > > > I > > > > > > > >change the above line to > > > > > > > > > > > > > > > >AuthType Basic instead of > > > > > > > >AuthType ntlm,Basic. > > > > > > > > > > > > > > > > > > > > > > > >With this change I can access passwords in htpasswd & also > > > > authenticate > > > > > > > >from an NT server but I can no longer use NTLM. > > > > > > > > > > > > > > The problem is that Basic authentication requires a password > from > > > the > > > > > > > client > > > > > > > which can be compared against your password file. In case of > NTLM > > > > auth, > > > > > > > there is no password ever send over the wire, so Apache doesn't > > have > > > > > > > anything which it can compare against it's passwd file. > > > > > > > > > > > > > > The solution would be to derive a class from AuthenNTLM and do > the > > > > > > > computation of the challage and response based on the secrets in > > the > > > > > > > passwd > > > > > > > file (you would need to store MD4 hashs of your passwords > > > somewhere). > > > > > > > There > > > > > > > is a module called Perl::AuthenNTLM which may be helpfull in > doing > > > > this > > > > > > > task. > > > > > > > > > > > > > > Gerald > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ************************************************************************ > > > > > > > The information in this e-mail together with any attachments is > > > > > > > intended only for the person or entity to which it is addressed > > > > > > > and may contain confidential and/or privileged material. > > > > > > > > > > > > > > Any form of review, disclosure, modification, distribution > > > > > > > and/or publication of this e-mail message is prohibited. > > > > > > > > > > > > > > If you have received this message in error, you are asked to > > > > > > > inform the sender as quickly as possible and delete this message > > > > > > > and any copies of this message from your computer and/or your > > > > > > > computer system network. > > > > > > > > > > > > ************************************************************************ > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ************************************************************************ The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. ************************************************************************