The username/password pair is sent only once to the issuer machine and the follow-up authentications are performed using a self-certified, time-limited, hash. In fact, it is based on access-control, having nothing to do with Basic Authentication. This is discussed in detail in the Eagle book. I am not sure if NTLM is even better but for most applications, it is pretty secure.
Peter ----- Original Message ----- From: "Gerald Richter" <[EMAIL PROTECTED]> To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 12:29 PM Subject: Re: NTLM module > > > > if you check the source of the Smb implemenation of the module, you would > > see that it performs basically the same function as NTLM. I agree with you > > that it does not fit the Microsoft definition of NTLM, so it is not a NTLM > > implementation. If ones purpose is to pass the protection by providing a > > valid username/password pair in a NT domain, then one does not have to > > follow that definition and the current Smb implementation is one of the > > possible solutions. > > > > The point is not how the password is passed to the nt server, the point is > how the browser and the web server exchange the credenticals. With basic > auth and with your module the user enters a username and a password and you > use different backends to verify this. With NTLM authentication the Internet > Exploerer and the Web server uses a challange-response procdure to exchange > credenticals (and IE does this without asking the user, so you get logged on > with your windows username, which safes the user some extra typing). They > never send the password over the wire, so you don't have a password to > send/verify to your backend. > > What you talking about is the verification of the password between the web > server and the nt domain controller, thats something different. > > Gerald > > > > > > Peter > > > > ----- Original Message ----- > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > To: "Peter Bi" <[EMAIL PROTECTED]>; "Kaye-Smith Adam" > > <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, August 13, 2002 12:53 AM > > Subject: Re: NTLM module > > > > > > > > > > > > > > You may check Apache::Access module at http://modperl.home.att.net in > > > which > > > > I tried to provide a general solution to several popular > authentication > > > > issuers such as SMB, LDAP, IMAP, NIS, FTP, LWP and DBI etc. > > > > > > > > > > I think you missed the point (or I missunderstood your module): The > > problem > > > is not doing the authentication against whatever, but doing NTLM > > > authetication. With NTLM auth you don't get a password from the client, > so > > > how would compare the password that you don't have against "SMB, LDAP, > > IMAP, > > > NIS, FTP, LWP and DBI etc." ? > > > > > > The only solution is to reimplement the challage/response that NTLM > does. > > > (The module Authen::Perl::NTLM maybe helpfull here). To do this you need > > > either the password in clear text to compute the nt password hash (a > sort > > of > > > md4 hash) or the precomputed nt password hash. You won't have this with > > > LDAP, IMAP, NIS, FTP, LWP and DBI etc.... > > > > > > Gerald > > > > > > ------------------------------------------------------------- > > > Gerald Richter ecos electronic communication services gmbh > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > ------------------------------------------------------------- > > > > > > > > > > Cheers. > > > > > > > > > > > > Peter Bi > > > > > > > > ----- Original Message ----- > > > > From: "Gerald Richter" <[EMAIL PROTECTED]> > > > > To: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > > Cc: <[EMAIL PROTECTED]> > > > > Sent: Monday, August 12, 2002 9:12 PM > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > > > >According to the documentation, if you set NTMLauthoritative to > off, > > > > > >then if NTLM authorization fails, then it should pass it on to the > > > lower > > > > > >level modules. > > > > > > > > > > Yes, that's true and it works like you describe it. The point that > you > > > are > > > > > missing is (and that I have tried to show in my last mail), that > > during > > > > NTLM > > > > > authentication there is no password! NTLM never passes the password > to > > > the > > > > > server, so also the control gets passed to the lower level module, > > this > > > > > lower level module must be able to handle NTLM. The default Apache > > auth > > > > > handler isn't able to do so. It expects a password, which it doesn't > > > gets > > > > > because the client never has send it. > > > > > > > > > > Hope it's a little bit more clear now > > > > > > > > > > Gerald > > > > > > > > > > ------------------------------------------------------------- > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > I have cut out the below section from the doco which > > > > > relates to the above functionality : > > > > > " > > > > > =head2 PerlSetVar ntlmauthoritative > > > > > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' allows > > > > > authentication > > > > > to be passed on to lower level modules if AuthenNTLM cannot > > autheticate > > > > > the userand the NTLM authentication scheme is used. > > > > > If set to 'on', which is the default, AuthenNTLM will try to verify > > the > > > > > user andif it fails will give an Authorization Required reply. > > > > > > > > > > =head2 PerlSetVar basicauthoritative > > > > > > > > > > Setting the ntlmauthoritative directive explicitly to 'off' allows > > > > > authentication > > > > > to be passed on to lower level modules if AuthenNTLM cannot > > autheticate > > > > > the userand the Basic authentication scheme is used. > > > > > If set to 'on', which is the default, AuthenNTLM will try to verify > > the > > > > > user andif it fails will give an Authorization Required reply. > > > > > " > > > > > > > > > > > > > > > > > > > > From the above description, I am hoping for the following events to > > take > > > > > place > > > > > > > > > > > > > > > - ntlm authentication (if fail this level go to next > > authentication) > > > > > > > > > > - basic authentication (if fails this level go to other > > > > > authentication systems) > > > > > > > > > > - read passwords in htpasswd file ( if this fails, then access > not > > > > > granted) > > > > > > > > > > > > > > > > > > > > > > > > > To enable the following behaviour, I have included the following > > > > > directives in httpd.conf. > > > > > > > > > > - ntlmauthoritative off > > > > > - basicauthoritative off > > > > > > > > > > > > > > > I have also taken out the basic authentication to see if this works > ie > > > > > > > > > > Authtype ntlm (not basic) > > > > > > > > > > But this still does fail & allow the htpasswd system to verify > access. > > > > > > > > > > > > > > > > > > > > If there are changes that need to be made to the AuthenNTLM.pm, I > am > > > > > not very well read in this area - are there any goof references. > > > > > > > > > > From my novice perspective, it appears that when NTLM is included as > > > > > part of the authentication, the ability for normal modules to verify > > > > > access (ie htpasswd file) is no longer available ie the perl module > > does > > > > > not pass back what the standard modules are expecting. > > > > > > > > > > I am sorry to be a bit unclear in my analysis, but I am fairly new > to > > > > > apache & perl modules. > > > > > > > > > > > > > > > Many Thanks > > > > > > > > > > > > > > > Adam > > > > > > > > > > > > > > > original email attached > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Gerald Richter [mailto:[EMAIL PROTECTED]] > > > > > Sent: Monday, 12 August 2002 5:35 PM > > > > > To: Kaye-Smith Adam; [EMAIL PROTECTED] > > > > > Subject: Re: NTLM module > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Kaye-Smith Adam" <[EMAIL PROTECTED]> > > > > > To: <[EMAIL PROTECTED]> > > > > > Sent: Monday, August 12, 2002 4:51 AM > > > > > Subject: NTLM module > > > > > > > > > > > > > > > Hello , > > > > > > > > > > > > > > > >When I enter in an NT password it all works ok but when I use a > > > > > >user/pass from the htpasswd file, the only way it will work is that > I > > > > > >change the above line to > > > > > > > > > > > >AuthType Basic instead of > > > > > >AuthType ntlm,Basic. > > > > > > > > > > > > > > > > > >With this change I can access passwords in htpasswd & also > > authenticate > > > > > >from an NT server but I can no longer use NTLM. > > > > > > > > > > The problem is that Basic authentication requires a password from > the > > > > > client > > > > > which can be compared against your password file. In case of NTLM > > auth, > > > > > there is no password ever send over the wire, so Apache doesn't have > > > > > anything which it can compare against it's passwd file. > > > > > > > > > > The solution would be to derive a class from AuthenNTLM and do the > > > > > computation of the challage and response based on the secrets in the > > > > > passwd > > > > > file (you would need to store MD4 hashs of your passwords > somewhere). > > > > > There > > > > > is a module called Perl::AuthenNTLM which may be helpfull in doing > > this > > > > > task. > > > > > > > > > > Gerald > > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ************************************************************************ > > > > > The information in this e-mail together with any attachments is > > > > > intended only for the person or entity to which it is addressed > > > > > and may contain confidential and/or privileged material. > > > > > > > > > > Any form of review, disclosure, modification, distribution > > > > > and/or publication of this e-mail message is prohibited. > > > > > > > > > > If you have received this message in error, you are asked to > > > > > inform the sender as quickly as possible and delete this message > > > > > and any copies of this message from your computer and/or your > > > > > computer system network. > > > > > > > ************************************************************************ > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------- > > > > > Gerald Richter ecos electronic communication services gmbh > > > > > Internetconnect * Webserver/-design/-datenbanken * Consulting > > > > > > > > > > Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz > > > > > E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925131 > > > > > WWW: http://www.ecos.de Fax: +49 6133 925152 > > > > > ------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
