Re: [squid-users] problem with ntlm_smb_lm_auth helper

[Emmanuel Garette]

Le 16/09/2015 11:40, Amos Jeffries a écrit :
> On 16/09/2015 9:05 p.m., Emmanuel Garette wrote:
>> Le 07/09/2015 18:40, Amos Jeffries a écrit :
>>> On 8/09/2015 1:17 a.m., Emmanuel Garette wrote:
>>>> Seems to be ok for me. Thanks for your fast reply.
>>>>
>>>> Need I open a bug in bugzilla ?
>>>>
>>> No need. I think this may be one of the existing ones about this helper.
>>> Thanks for the feedback it should be applied to the current versions
>>> shortly.
>> Hi,
>>
>> Today I found a new problem. All work fine with computer join into
>> windows domain. Not for computer user CNTLM (not in the domain).
>>
>> In debug mode I can see this error:
>>
>>> ntlm_smb_lm_auth.cc(307): pid=4668 :NT response: insane data (pkt-sz:
>> 108, fetch len: 0, offset: 108)
>>
>> If I understand, there is no NT password.
>>
>> In older code, there was this line:
>>
>>> tmp = ntlm_fetch_string ((char *) auth, auth_length, &auth->ntresponse);
>>> if (tmp.str != NULL && tmp.l != 0) {
>> The NT password was check only if len was different to 0.
>>
>> In this part of your patch:
>>> /* still fetch the NT response and check validity against empty
>> password */
>>>  {
>>>  const strhdr * str = &auth->ntresponse;
>>>  int16_t len = le16toh(str->len);
>>>  int32_t offset = le32toh(str->offset);
>>>  if (len != ENCODED_PASS_LEN || offset + len > auth_length ||
>> offset == 0) {
>>
>> if I replace last line with:
>>
>>> if ((len != 0 && len != ENCODED_PASS_LEN) || offset + len >
>> auth_length || offset == 0) {
>>
>> Everything works well.
> By that do you mean it rejects with "Empty NT password supplied for
> user" ?  or that it accepts the login?
I'm not familar with NTLM protocol, but in my case NT password seems to
be empty (length 0). In this case, older version of helper accept it.
The new one exit with error "insane data". That why I propose to test if
len is not null.

NT password is empty with cNTLM but also with firefox on a GNU/Linux
workstation.

Cordialement,
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with ntlm_smb_lm_auth helper

[Emmanuel Garette]

Le 16/09/2015 11:05, Emmanuel Garette a écrit :
> Le 07/09/2015 18:40, Amos Jeffries a écrit :
>> On 8/09/2015 1:17 a.m., Emmanuel Garette wrote:
>>> Seems to be ok for me. Thanks for your fast reply.
>>>
>>> Need I open a bug in bugzilla ?
>>>
>> No need. I think this may be one of the existing ones about this helper.
>> Thanks for the feedback it should be applied to the current versions
>> shortly.
> Hi,
>
> Today I found a new problem. All work fine with computer join into
> windows domain. Not for computer user CNTLM (not in the domain).
>
> In debug mode I can see this error:
>
>> ntlm_smb_lm_auth.cc(307): pid=4668 :NT response: insane data (pkt-sz:
> 108, fetch len: 0, offset: 108)
>
> If I understand, there is no NT password.

I forgot the trace:

YR TlRMTVNTUAABBrIAAAkACQAmBgAGACBTQ1JJQkVET01QRURBR08=
KK
TlRMTVNTUAADGAAYAFQAbAkACQBABQAFAEkGAAYATgBsgoJBAERPTVBFREFHT0FETUlOU0NSSUJFXRkbGCsAILbqhuHyAIWo6XZwbXFCW0p5

Regards,
>
> In older code, there was this line:
>
>> tmp = ntlm_fetch_string ((char *) auth, auth_length, &auth->ntresponse);
>> if (tmp.str != NULL && tmp.l != 0) {
> The NT password was check only if len was different to 0.
>
> In this part of your patch:
>> /* still fetch the NT response and check validity against empty
> password */
>>  {
>>  const strhdr * str = &auth->ntresponse;
>>  int16_t len = le16toh(str->len);
>>  int32_t offset = le32toh(str->offset);
>>  if (len != ENCODED_PASS_LEN || offset + len > auth_length ||
> offset == 0) {
>
> if I replace last line with:
>
>> if ((len != 0 && len != ENCODED_PASS_LEN) || offset + len >
> auth_length || offset == 0) {
>
> Everything works well.
>
> Regards,
>> Amos
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with ntlm_smb_lm_auth helper

[Emmanuel Garette]

Le 07/09/2015 18:40, Amos Jeffries a écrit :
> On 8/09/2015 1:17 a.m., Emmanuel Garette wrote:
>>
>> Seems to be ok for me. Thanks for your fast reply.
>>
>> Need I open a bug in bugzilla ?
>>
> No need. I think this may be one of the existing ones about this helper.
> Thanks for the feedback it should be applied to the current versions
> shortly.

Hi,

Today I found a new problem. All work fine with computer join into
windows domain. Not for computer user CNTLM (not in the domain).

In debug mode I can see this error:

> ntlm_smb_lm_auth.cc(307): pid=4668 :NT response: insane data (pkt-sz:
108, fetch len: 0, offset: 108)

If I understand, there is no NT password.

In older code, there was this line:

> tmp = ntlm_fetch_string ((char *) auth, auth_length, &auth->ntresponse);
> if (tmp.str != NULL && tmp.l != 0) {

The NT password was check only if len was different to 0.

In this part of your patch:
> /* still fetch the NT response and check validity against empty
password */
>  {
>  const strhdr * str = &auth->ntresponse;
>  int16_t len = le16toh(str->len);
>  int32_t offset = le32toh(str->offset);
>  if (len != ENCODED_PASS_LEN || offset + len > auth_length ||
offset == 0) {

if I replace last line with:

> if ((len != 0 && len != ENCODED_PASS_LEN) || offset + len >
auth_length || offset == 0) {

Everything works well.

Regards,
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with ntlm_smb_lm_auth helper

[Emmanuel Garette]

Le 07/09/2015 14:01, Amos Jeffries a écrit :
> On 7/09/2015 10:23 p.m., Emmanuel Garette wrote:
>> ntlmssp: bad ascii: fffb
>> ntlmssp: bad ascii: ff99
>> ntlmssp: bad ascii: ffdc
>> ntlmssp: bad ascii: fff3
>> ntlmssp: bad ascii: 
>> ntlmssp: bad ascii: ffdd
>> ntlmssp: bad ascii: fffa
>> ntlmssp: bad ascii: ff8f
>> ntlmssp: bad ascii: ffa6
>> ntlmssp: bad ascii: 0017
>> ntlmssp: bad ascii: ffca
>> ntlmssp: bad ascii: ff97
>> ntlmssp: bad ascii: ffeb
>> ntlmssp: bad ascii: ffd2
>> ntlmssp: bad ascii: fffc
>> ntlmssp: bad ascii: ffda
>> ntlmssp: bad ascii: ffa9
>> ntlmssp: bad ascii: ffdd
>> ntlm_smb_lm_auth.cc(277): pid=5278 :Empty LM pass detection: user:
>> 'ADMIN', ours:'(E�
>>  
>>
>> �p�����(jw�B�.Q�7��h(�', his: '�2��Z�' (length: 24)
>> ntlmssp: bad ascii: ffdd
>> ntlmssp: bad ascii: 0018
>> ntlmssp: bad ascii: ffb2
>> ntlmssp: bad ascii: 001e
>> ntlmssp: bad ascii: ff9b
>> ntlmssp: bad ascii: fffd
>> ntlmssp: bad ascii: 007f
>> ntlmssp: bad ascii: 0010
>> ntlmssp: bad ascii: ff89
>> ntlmssp: bad ascii: ff8c
>> ntlmssp: bad ascii: ff85
>> ntlmssp: bad ascii: ffa0
>> ntlmssp: bad ascii: ffac
>> ntlmssp: bad ascii: ffb8
>> ntlmssp: bad ascii: 
>> ntlm_smb_lm_auth.cc(288): pid=5278 :Empty NT pass detection: user:
>> 'ADMIN', ours:'�a����A
>>  
>> 
>> ��2��', his: '�g[�S�P�Z<�^�:���<�M' (length: 24)
>> ntlm_smb_lm_auth.cc(299): pid=5278 :checking domain: 'DOMPEDAGO', user:
>> 'ADMIN', pass='�2��Z�'
>>
> Ah! fetch_string should not even have been used at all on these encoded
> blobs. They are not strings. That appears to be the problem.
>
> Please try the attached patch.
> (It should apply on squid-3.3 with patch -p0 ).
Seems to be ok for me. Thanks for your fast reply.

Need I open a bug in bugzilla ?


>
> Amos
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] problem with ntlm_smb_lm_auth helper

[Emmanuel Garette]

Le 07/09/2015 12:00, Amos Jeffries a écrit :
> On 7/09/2015 8:01 p.m., Emmanuel Garette wrote:
>> Hi,
>>
>> I manage to migrate my squid version from 3.1.19 to 3.3.8 (version
>> included in ubuntu LTS) and I'm using the helper ntlm_smb_lm_auth helper.
> Please make an effort not to use this helper. It is well worth avoidng
> if you can. Your network is in fact far *more secure* using plain old
> Basic auth than using SMB LM auth.
>
>
>> I cannot authentifiate any user with this version of the helper.
>>
>> I've two problem:
>>
>> * in file lib/ntlmauth/ntlmauth.cc, this line is not working:
>>
>> /* Authenticating against the NT response doesn't seem to work... */
>> tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, 
>> auth->flags);
>>
>>
>> The function ntlm_fetch_string check if password contains only ASCII
>> character. In my test, password contains no ASCII character at all.
>>
>> In file lib/ntlmauth/ntlmauth.cc, if I remove "return rv;" here:
>>
>> fprintf(stderr, "ntlmssp: bad ascii: %04x\n", *sc);
>> return rv;
>>
>>  all works fine.
> That is bad. Doing so tells Squid that your invalid NTLM token is valid.
>
> It contains flags explicitly stating that the strings inside are ASCII.
> Then contains non-ASCII strings. In no way is that a valid token. The
> helper should be rejecting these.
>
> This helper does accept non-ASCII strings. As long as the flag in the
> token is properly indicating UNICODE / non-ASCII support.
>
>
>> * in file lib/ntlmauth/ntlmauth.cc, the test is not correct:
>>
>> /* Authenticating against the NT response doesn't seem to work... */
>> tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, 
>> auth->flags);
>> if (tmp.str == NULL || tmp.l == 0) {
>> fprintf(stderr, "No auth at all. Returning no-auth\n");
>> ntlm_errno = NTLM_ERR_LOGON;
>> return NULL;
>> }
>>
>> Value of tmp.l is -1 for me (the first character is not an ASCII
>> character). The test should be "tmp.l < 1".
>
> That tells me something may have made the code of your helper different
> from the code we distribute.
>
> "rv.l = 0" is set explicitly by ntlm_fetch_string() before running the
> ASCII/UNICODE validation scans. It is only -1 before the rv.str has been
> set.
>
> In the (tmp.str == NULL || tmp.l == 0) check the (tmp.str == NULL) part
> is true whenever tmp.l is -1.
>
>
>> I'm not sure (not try with this version) but those problems seems to be
>> in trunk version
>>
>> I would like to know if I am wrong or if there is a better solution for
>> than remove return's line.
>
> Would you mind mailing me a copy of the HTTP headers containing the NTLM
> tokens that are breaking for you? Private reply to this is fine, since
> they contain plain-text passwords and I need the full exact tokens (type
> 1, 2, and 3 if you can) as found in the HTTP message.
I've a testing domain without real user/password, so there is nothing
private.

Here is the information send by my browser:

YR TlRMTVNTUAABB4IIogAFASgKDw==
KK
TlRMTVNTUAADGAAYAF0YABgAdQkACQBIBQAFAFEHAAcAVgCNBoIAAgUBKAoPRE9NUEVEQUdPQURNSU5FT0xFLVhQ+zKZ3FrzAN36j1+mF8qXJevSL3r8fNqp3RhnW7JTHptQ/X9aEDyJXow6haCsPLhN

Here is some trace when i remove the "return" line:

# /usr/lib/squid3/ntlm_smb_lm_auth -d dompedago/scribe
ntlm_smb_lm_auth.cc(384): pid=5278 :Adding domain-controller
dompedago/scribe
ntlm_smb_lm_auth.cc(640): pid=5278 :options processed OK
YR TlRMTVNTUAABB4IIogAFASgKDw==
ntlm_smb_lm_auth.cc(482): pid=5278 :managing request
ntlm_smb_lm_auth.cc(488): pid=5278 :ntlm authenticator. Got 'YR
TlRMTVNTUAABB4IIogAFASgKDw==' from Squid
ntlm_smb_lm_auth.cc(438): pid=5278 :obtain_challenge: selecting
DOMPEDAGO\SCRIBE (attempt #1)
ntlm_smb_lm_auth.cc(450): pid=5278 :attempting challenge retrieval
ntlm_smb_lm_auth.cc(154): pid=5278 :Connecting to server SCRIBE domain
DOMPEDAGO
ntlm_smb_lm_auth.cc(452): pid=5278 :make_challenge retuned 0x7f3dad1e63c0
ntlm_smb_lm_auth.cc(454): pid=5278 :Got it
ntlm_smb_lm_auth.cc(623): pid=5278 :sending 'TT
TlRMTVNTUAACCQAJACgAAACCgkEAxzeor2goxxIAAERPTVBFREFHTw==' to
squid
TT TlRMTVNTUAACCQAJACgAAACCgkEAxzeor2goxxIAAERPTVBFREFHTw==
KK
TlRMTVNTUAADGAAYAF0YABgAdQkACQBIBQAFAFEHAAcAVgCNBoIAAgUBKAoPRE9NUEVEQUdPQURNSU5FT0xFLVhQ+zKZ3FrzAN36j1+mF8qX

[squid-users] problem with ntlm_smb_lm_auth helper

[Emmanuel Garette]

Hi,

I manage to migrate my squid version from 3.1.19 to 3.3.8 (version
included in ubuntu LTS) and I'm using the helper ntlm_smb_lm_auth helper.

I cannot authentifiate any user with this version of the helper.

I've two problem:

* in file lib/ntlmauth/ntlmauth.cc, this line is not working:

/* Authenticating against the NT response doesn't seem to work... */
tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, 
auth->flags);


The function ntlm_fetch_string check if password contains only ASCII
character. In my test, password contains no ASCII character at all.

In file lib/ntlmauth/ntlmauth.cc, if I remove "return rv;" here:

fprintf(stderr, "ntlmssp: bad ascii: %04x\n", *sc);
return rv;

 all works fine.

* in file lib/ntlmauth/ntlmauth.cc, the test is not correct:

/* Authenticating against the NT response doesn't seem to work... */
tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, 
auth->flags);
if (tmp.str == NULL || tmp.l == 0) {
fprintf(stderr, "No auth at all. Returning no-auth\n");
ntlm_errno = NTLM_ERR_LOGON;
return NULL;
}

Value of tmp.l is -1 for me (the first character is not an ASCII
character). The test should be "tmp.l < 1".

I'm not sure (not try with this version) but those problems seems to be
in trunk version

I would like to know if I am wrong or if there is a better solution for
than remove return's line.

Regards,
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users