[squid-users] problem with ntlm_smb_lm_auth helper

Mon Sep 7 10:00:37 UTC 2015

On 7/09/2015 8:01 p.m., Emmanuel Garette wrote:
> Hi,
> 
> I manage to migrate my squid version from 3.1.19 to 3.3.8 (version
> included in ubuntu LTS) and I'm using the helper ntlm_smb_lm_auth helper.

Please make an effort not to use this helper. It is well worth avoidng
if you can. Your network is in fact far *more secure* using plain old
Basic auth than using SMB LM auth.

> 
> I cannot authentifiate any user with this version of the helper.
> 
> I've two problem:
> 
> * in file lib/ntlmauth/ntlmauth.cc, this line is not working:
> 
>     /* Authenticating against the NT response doesn't seem to work... */
>     tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, auth->flags);
> 
> 
> The function ntlm_fetch_string check if password contains only ASCII
> character. In my test, password contains no ASCII character at all.
> 
> In file lib/ntlmauth/ntlmauth.cc, if I remove "return rv;" here:
> 
>                 fprintf(stderr, "ntlmssp: bad ascii: %04x\n", *sc);
>                 return rv;
> 
>  all works fine.

That is bad. Doing so tells Squid that your invalid NTLM token is valid.

It contains flags explicitly stating that the strings inside are ASCII.
Then contains non-ASCII strings. In no way is that a valid token. The
helper should be rejecting these.

This helper does accept non-ASCII strings. As long as the flag in the
token is properly indicating UNICODE / non-ASCII support.

> 
> * in file lib/ntlmauth/ntlmauth.cc, the test is not correct:
> 
>     /* Authenticating against the NT response doesn't seem to work... */
>     tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, auth->flags);
>     if (tmp.str == NULL || tmp.l == 0) {
>         fprintf(stderr, "No auth at all. Returning no-auth\n");
>         ntlm_errno = NTLM_ERR_LOGON;
>         return NULL;
>     }
> 
> Value of tmp.l is -1 for me (the first character is not an ASCII
> character). The test should be "tmp.l < 1".

That tells me something may have made the code of your helper different
from the code we distribute.

"rv.l = 0" is set explicitly by ntlm_fetch_string() before running the
ASCII/UNICODE validation scans. It is only -1 before the rv.str has been
set.

In the (tmp.str == NULL || tmp.l == 0) check the (tmp.str == NULL) part
is true whenever tmp.l is -1.

> 
> I'm not sure (not try with this version) but those problems seems to be
> in trunk version
> 
> I would like to know if I am wrong or if there is a better solution for
> than remove return's line.

Would you mind mailing me a copy of the HTTP headers containing the NTLM
tokens that are breaking for you? Private reply to this is fine, since
they contain plain-text passwords and I need the full exact tokens (type
1, 2, and 3 if you can) as found in the HTTP message.

Amos