[squid-users] One Time Password with squid, exists?

Eliezer Croitoru eliezer at ngtech.co.il
Thu Mar 12 02:25:52 UTC 2015


Thanks Amos,

So NTLM has "two steps" authentication which means that there is a basic 
negotiation over the http connection to the proxy which makes it less 
secure then kerberos.

(speculating)
The main reason it's less secure then kerberos is that every part of the 
password negotiation steps is being done in the same channel that the 
proxy is being contacted and there for cannot apply a third party 
"verification" for the authenticity of any of the tokens.
As a matter of fact NTLM http proxy authentication may be intercepted 
and can do lots of bad things to the connections.

I will try to read more about Digest authentication to make sure I will 
not create something when it's not needed.

But in any case that there is an option to make the proxy to client 
connection one level more secure then plain http proxy port it should be 
considered better, right?

Eliezer

On 12/03/2015 04:01, Amos Jeffries wrote:
> To answer that you need to define OTP.
>
> * Basic is the only scheme which delivers a password. So technically the
> others are all one-use-password schemes already.
>
> * Digest with nonce count 1 is a one-time-token scheme at the message level.
>
> * Negotiate and NTLM are one-time-token schemes at the TCP connection level.
>
> * Basic auth can be one-time-token but requires supporting logic to be
> implemented in the clients, server, and a token asignment mechanism. Its
> easier to just use Digest in most cases.
>
> Amos



More information about the squid-users mailing list