Re: [squid-users] Security of NTLM authentication
Hi, At 01.59 03/06/2009, Amos Jeffries wrote: On Tue, 02 Jun 2009 19:44:03 -0300, Leonardo Rodrigues leolis...@solutti.com.br wrote: Hello Guys, a simple question . i know that basic authentication schemas transmit username/password in cleartext over the wire. It' base64 encoded, but it's trivially detected and decoded, which make them not the most secure ones to use. do NTLM authentication schemas are more secure than basic ones, i mean, do NTLM authentication schema transmit cleartext (or simply encoded) username/passwords over the wire ? NTLM uses a side channel directly between the domain control server and the machine needing to check auth. I'm not sure how that is coded. The HTTP side of the triangle includes a hash of the credentials. One thing to be wary of is that NTLM hash strength is pretty much limited by the Windows releases involved. The older versions used by Win9x are hashes which are now trivially broken, none are completely secure. The latest windows releases have deprecated it in favor of the much more secure Kerberos (but that won't work with anything much older than XP and IE6). Just some more explanation here: There are two flavors of NTLM: V1 (the windows 9x version) and V2. Squid is able to use both, but V2 is more secure. On the Kerberos side, you need the negotiate authentication schema, but there are some requirements to meet Browser: - Internet Explorer 7.0 or later - Firefox 1.5 or later OS: - Windows 2000 or later So on Windows 2000 you can use Negotiate with Firefox only, while on XP/2003 you need to Install at least IE7 or Firefox. Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it/
Re: [squid-users] Security of NTLM authentication
Guido Serassio escreveu: Just some more explanation here: There are two flavors of NTLM: V1 (the windows 9x version) and V2. Squid is able to use both, but V2 is more secure. On the Kerberos side, you need the negotiate authentication schema, but there are some requirements to meet Browser: - Internet Explorer 7.0 or later - Firefox 1.5 or later OS: - Windows 2000 or later So on Windows 2000 you can use Negotiate with Firefox only, while on XP/2003 you need to Install at least IE7 or Firefox. Hi Guido, thanks for the extra informations. is it possible to configure squid to use only NTLM v2 ? I'm actually doing the basic: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 50 auth_param ntlm keep_alive on external_acl_type ad_group ttl=1800 children=50 %LOGIN /usr/bin/wbinfo_group.pl -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
[squid-users] Security of NTLM authentication
Hello Guys, a simple question . i know that basic authentication schemas transmit username/password in cleartext over the wire. It' base64 encoded, but it's trivially detected and decoded, which make them not the most secure ones to use. do NTLM authentication schemas are more secure than basic ones, i mean, do NTLM authentication schema transmit cleartext (or simply encoded) username/passwords over the wire ? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: [squid-users] Security of NTLM authentication
On Tue, 02 Jun 2009 19:44:03 -0300, Leonardo Rodrigues leolis...@solutti.com.br wrote: Hello Guys, a simple question . i know that basic authentication schemas transmit username/password in cleartext over the wire. It' base64 encoded, but it's trivially detected and decoded, which make them not the most secure ones to use. do NTLM authentication schemas are more secure than basic ones, i mean, do NTLM authentication schema transmit cleartext (or simply encoded) username/passwords over the wire ? NTLM uses a side channel directly between the domain control server and the machine needing to check auth. I'm not sure how that is coded. The HTTP side of the triangle includes a hash of the credentials. One thing to be wary of is that NTLM hash strength is pretty much limited by the Windows releases involved. The older versions used by Win9x are hashes which are now trivially broken, none are completely secure. The latest windows releases have deprecated it in favor of the much more secure Kerberos (but that won't work with anything much older than XP and IE6). There is also digest authentication, which is the IETF standard for secure authentication over HTTP. Some people actually use it too. And it works without needing windows or domain controllers. Amos
Re: [squid-users] Security of NTLM authentication
Amos Jeffries escreveu: One thing to be wary of is that NTLM hash strength is pretty much limited by the Windows releases involved. The older versions used by Win9x are hashes which are now trivially broken, none are completely secure. The latest windows releases have deprecated it in favor of the much more secure Kerberos (but that won't work with anything much older than XP and IE6). supporting Win9x is not needed and, if i can do anything to really dissallow those to browser, i will :) basically my clients will be Win9x and Vista and Windows 2003/2008 servers as well. There's absolutely no chance of having Win9x on my project, which seems to be good. There is also digest authentication, which is the IETF standard for secure authentication over HTTP. Some people actually use it too. And it works without needing windows or domain controllers. having a domain controller is not a problem indeed. In fact i need squid to use AD username and passwords. Anyway, i'll look for digest authentication. thanks for the answer and for the hints. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it