On 05.03.13 23:19, Amos Jeffries wrote:
Very slightly. Mostly on the grounds that NTLM is an officially
deprecated protocol - adding improved support for it it counter
productive to the goals of eradicating it from the Internet.
As much as I'd love to see the back of NTLM, there doesn't seem to be a
way of eradicating it (in Windows networks). In order to use Kerberos
you need to offer Negotiate authentication, which automatically means
you have to support NTLM (since that's also part of Negotiate). Windows
machines that are logged onto the domain will use Kerberos, but those
not logged onto the domain will use NTLM in preference to Basic. I'm
not sure what happens if both Negotiate and Digest are offered; but
Digest is unfortunately not always suitable (depending on the
authentication backend).
As submitted the patch will completely break on all installations which
allow / or @ characters in usernames. I am aware that there are
definitely some networks allowing those - whether they use PAM is unknown.
This will need at least a helper command line option to enable the
stripping. I suggest the -r option as previously used in
negotiate_kerberos_auth.
http://www.squid-cache.org/Versions/v3/3.2/manuals/negotiate_kerberos_auth.html
Fair point - I had assumed that \ and @ wouldn't ever be used under PAM,
but it is reasonable to make this functionality optional.
I've attached the revised patch covering these comments and the comments
you made in the other email.
Many thanks.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:[email protected]
Email: [email protected]
Phone: sip:[email protected]
Sales / enquiries contacts:
Email: [email protected]
Phone: +44-844-9791439 / sip:[email protected]
Support contacts:
Email: [email protected]
Phone: +44-844-4844916 / sip:[email protected]
Index: helpers/basic_auth/PAM/basic_pam_auth.cc
===================================================================
--- helpers/basic_auth/PAM/basic_pam_auth.cc (revision 205)
+++ helpers/basic_auth/PAM/basic_pam_auth.cc (revision 207)
@@ -158,6 +158,7 @@
fprintf(stderr, " to authenticate all users\n");
fprintf(stderr, " -o Do not perform account mgmt (account expiration etc)\n");
fprintf(stderr, " -1 Only one user authentication per PAM connection\n");
+ fprintf(stderr, " -r Remove realm from username\n");
}
int
@@ -172,12 +173,13 @@
int ttl = DEFAULT_SQUID_PAM_TTL;
const char *service = DEFAULT_SQUID_PAM_SERVICE;
int no_acct_mgmt = 0;
+ int no_realm = 0;
/* make standard output line buffered */
setvbuf(stdout, NULL, _IOLBF, 0);
while (1) {
- int ch = getopt(argc, argv, "1n:t:o");
+ int ch = getopt(argc, argv, "1n:t:or");
switch (ch) {
case -1:
goto start;
@@ -193,6 +195,9 @@
case 'o':
no_acct_mgmt = 1;
break;
+ case 'r':
+ no_realm = 1;
+ break;
default:
fprintf(stderr, "FATAL: Unknown getopt value '%c'\n", ch);
usage(argv[0]);
@@ -225,6 +230,18 @@
rfc1738_unescape(password_buf);
conv.appdata_ptr = (char *) password_buf; /* from buf above. not allocated */
+ if (no_realm) {
+ /* Remove DOMAIN\.. and ...@domain from the user name in case the user
+ * thought this was an NTLM or Negotiate authentication popup box
+ */
+ char * user_ptr = strchr(user, '@');
+ if (user_ptr) *user_ptr = 0;
+ else {
+ user_ptr = strchr(user, '\\');
+ if (user_ptr) user = user_ptr + 1;
+ }
+ }
+
#if _SQUID_SOLARIS_
/* Workaround for Solaris 2.6 where the PAM library is broken
* and does not pass appdata_ptr to the conversation routine
