Re: [PATCH] Strip Windows domain in PAM basic authenticator

Tue, 05 Mar 2013 15:19:33 -0800 

On 6/03/2013 7:17 a.m., Steve Hill wrote:


This might be slightly controversial... :)



Very slightly. Mostly on the grounds that NTLM is an officially 
deprecated protocol - adding improved support for it it counter 
productive to the goals of eradicating it from the Internet.



On the security front, altering the helper is okay. It is the process 
responsible for all manipulation of the credentials received. As long as 
the user:password token received in HTTP by Squid is passed to it 
without manipulation there is nothing to worry about in respects to Squid.



When accessing Squid from a Windows machine that is not logged onto a 
domain, Internet Explorer presents the user with a proxy 
authentication dialogue box for NTLM authentication, which requires 
the user name to be entered as DOMAIN\user.  Other software may 
instead choose to use basic auth (handled by the basic_pam_auth 
authenticator) and pops up a similar authentication box which requires 
the bare user name (no "DOMAIN\").



It is often not clear to the user that there is a difference between 
these popup boxes, so they may not know whether or not to include the 
windows domain.  The attached patch modifies basic_pam_auth so that 
the user can enter their user name as a bare name, "DOMAIN\user" or 
"user@domain" and strips the domain part off so that the bare user 
name can be authenticated against PAM.



This should simplify things for the users, since they can just be told 
to enter their details in the "DOMAIN\user" format everywhere and it 
should just work.  Obviously not much use in a multi-domain setup, but 
presumably one wouldn't be authenticating against PAM in such a 
situation anyway (?).



As submitted the patch will completely break on all installations which 
allow / or @ characters in usernames. I am aware that there are 
definitely some networks allowing those - whether they use PAM is unknown.



This will need at least a helper command line option to enable the 
stripping. I suggest the -r option as previously used in 
negotiate_kerberos_auth.

http://www.squid-cache.org/Versions/v3/3.2/manuals/negotiate_kerberos_auth.html


Amos






















					Reply via email to