[squid-users] [Squid 4.x]: Truncated accounts when there is spaces in usernames

Amos Jeffries squid3 at treenet.co.nz
Sun Oct 25 08:01:06 UTC 2015


On 25/10/2015 5:47 a.m., David Touzeau wrote:
> 
> auth_param ntlm program /usr/bin/ntlm_auth  --domain=TOUZEAU.BIZ
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 20 startup=5 idle=3
> auth_param ntlm keep_alive on
> authenticate_ttl 14400 seconds
> authenticate_cache_garbage_interval 18000 seconds
> authenticate_ip_ttl 14400 seconds
> 
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 10 startup=5 idle=1
> auth_param basic realm Basic Identification
> auth_param basic credentialsttl 4 hours
> 
> here a debug log with an account logged as "david touzeau"
> 
> 
> Proxy-Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAAA4ADgBYAAAAGgAaAGYAAAAQABAAgAAAAAAAAADAAAAABYKIogYBsR0AAAAPudyEOYFjFhMW+qrJNxLkdlQATwBVAFoARQBBAFUAZABhAHYAaQBkACAAdABvAHUAegBlAGEAdQBXAEkATgA3AFUAUwAtADEAkZrVyKTcrdAAAAAAAAAAAAAAAAAAAAAA/wlnYT2Q+F
> 
> 2015/10/24 12:34:58.089 kid1| 84,5| helper.cc(1384)
> helperStatefulDispatch: helperStatefulDispatch: Request sent to
> ntlmauthenticator #Hlpr65, 260 bytes
> 2015/10/24 12:34:58.092 kid1| 84,5| helper.cc(1000)
> helperStatefulHandleRead: helperStatefulHandleRead: 17 bytes from
> ntlmauthenticator #Hlpr65
> 2015/10/24 12:34:58.092 kid1| 29,6| UserRequest.cc(171)
> releaseAuthServer: releasing NTLM auth server '0x1d91cd8'
> 2015/10/24 12:34:58.092 kid1| 29,4| UserRequest.cc(327) HandleReply:
> Successfully validated user via NTLM. Username 'touzeau'
> 

Okay. I think there is nothing we can do about it except to say you
can't have whitespace in usernames when using the old-style helpers.
That currently still includes ntlm_auth from Samba.

It is not a new problem. The NTLM/Negotiate helper response lines have
an optional token field before the username and the line is whitespace
delimited. If the username has whitespace inside it, then the first part
is parsed as being that field. It should be %-encoding the username,
which seems not to be happening.

We moved to the key=value protocol as the solution to avoid that in
future. But it requires the helper(s) to be using the new protocol. And
this one is not doing that either.

Amos



More information about the squid-users mailing list