[squid-users] problem with ntlm_smb_lm_auth helper

Mon Sep 7 10:23:19 UTC 2015

Le 07/09/2015 12:00, Amos Jeffries a écrit :
> On 7/09/2015 8:01 p.m., Emmanuel Garette wrote:
>> Hi,
>>
>> I manage to migrate my squid version from 3.1.19 to 3.3.8 (version
>> included in ubuntu LTS) and I'm using the helper ntlm_smb_lm_auth helper.
> Please make an effort not to use this helper. It is well worth avoidng
> if you can. Your network is in fact far *more secure* using plain old
> Basic auth than using SMB LM auth.
>
>
>> I cannot authentifiate any user with this version of the helper.
>>
>> I've two problem:
>>
>> * in file lib/ntlmauth/ntlmauth.cc, this line is not working:
>>
>>     /* Authenticating against the NT response doesn't seem to work... */
>>     tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, auth->flags);
>>
>>
>> The function ntlm_fetch_string check if password contains only ASCII
>> character. In my test, password contains no ASCII character at all.
>>
>> In file lib/ntlmauth/ntlmauth.cc, if I remove "return rv;" here:
>>
>>                 fprintf(stderr, "ntlmssp: bad ascii: %04x\n", *sc);
>>                 return rv;
>>
>>  all works fine.
> That is bad. Doing so tells Squid that your invalid NTLM token is valid.
>
> It contains flags explicitly stating that the strings inside are ASCII.
> Then contains non-ASCII strings. In no way is that a valid token. The
> helper should be rejecting these.
>
> This helper does accept non-ASCII strings. As long as the flag in the
> token is properly indicating UNICODE / non-ASCII support.
>
>
>> * in file lib/ntlmauth/ntlmauth.cc, the test is not correct:
>>
>>     /* Authenticating against the NT response doesn't seem to work... */
>>     tmp = ntlm_fetch_string(&(auth->hdr), auth_length, &auth->lmresponse, auth->flags);
>>     if (tmp.str == NULL || tmp.l == 0) {
>>         fprintf(stderr, "No auth at all. Returning no-auth\n");
>>         ntlm_errno = NTLM_ERR_LOGON;
>>         return NULL;
>>     }
>>
>> Value of tmp.l is -1 for me (the first character is not an ASCII
>> character). The test should be "tmp.l < 1".
>
> That tells me something may have made the code of your helper different
> from the code we distribute.
>
> "rv.l = 0" is set explicitly by ntlm_fetch_string() before running the
> ASCII/UNICODE validation scans. It is only -1 before the rv.str has been
> set.
>
> In the (tmp.str == NULL || tmp.l == 0) check the (tmp.str == NULL) part
> is true whenever tmp.l is -1.
>
>
>> I'm not sure (not try with this version) but those problems seems to be
>> in trunk version
>>
>> I would like to know if I am wrong or if there is a better solution for
>> than remove return's line.
>
> Would you mind mailing me a copy of the HTTP headers containing the NTLM
> tokens that are breaking for you? Private reply to this is fine, since
> they contain plain-text passwords and I need the full exact tokens (type
> 1, 2, and 3 if you can) as found in the HTTP message.
I've a testing domain without real user/password, so there is nothing
private.

Here is the information send by my browser:

YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
KK
TlRMTVNTUAADAAAAGAAYAF0AAAAYABgAdQAAAAkACQBIAAAABQAFAFEAAAAHAAcAVgAAAAAAAACNAAAABoIAAgUBKAoAAAAPRE9NUEVEQUdPQURNSU5FT0xFLVhQ+zKZ3FrzAN36j1+mF8qXJevSL3r8fNqp3RhnW7JTHptQ/X9aEDyJXow6haCsPLhN

Here is some trace when i remove the "return" line:

# /usr/lib/squid3/ntlm_smb_lm_auth -d dompedago/scribe
ntlm_smb_lm_auth.cc(384): pid=5278 :Adding domain-controller
dompedago/scribe
ntlm_smb_lm_auth.cc(640): pid=5278 :options processed OK
YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
ntlm_smb_lm_auth.cc(482): pid=5278 :managing request
ntlm_smb_lm_auth.cc(488): pid=5278 :ntlm authenticator. Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==' from Squid
ntlm_smb_lm_auth.cc(438): pid=5278 :obtain_challenge: selecting
DOMPEDAGO\SCRIBE (attempt #1)
ntlm_smb_lm_auth.cc(450): pid=5278 :attempting challenge retrieval
ntlm_smb_lm_auth.cc(154): pid=5278 :Connecting to server SCRIBE domain
DOMPEDAGO
ntlm_smb_lm_auth.cc(452): pid=5278 :make_challenge retuned 0x7f3dad1e63c0
ntlm_smb_lm_auth.cc(454): pid=5278 :Got it
ntlm_smb_lm_auth.cc(623): pid=5278 :sending 'TT
TlRMTVNTUAACAAAACQAJACgAAACCgkEAxzeor2goxxIAAAAAAAAAAERPTVBFREFHTw==' to
squid
TT TlRMTVNTUAACAAAACQAJACgAAACCgkEAxzeor2goxxIAAAAAAAAAAERPTVBFREFHTw==
KK
TlRMTVNTUAADAAAAGAAYAF0AAAAYABgAdQAAAAkACQBIAAAABQAFAFEAAAAHAAcAVgAAAAAAAACNAAAABoIAAgUBKAoAAAAPRE9NUEVEQUdPQURNSU5FT0xFLVhQ+zKZ3FrzAN36j1+mF8qXJevSL3r8fNqp3RhnW7JTHptQ/X9aEDyJXow6haCsPLhN
ntlm_smb_lm_auth.cc(482): pid=5278 :managing request
ntlm_smb_lm_auth.cc(488): pid=5278 :ntlm authenticator. Got 'KK
TlRMTVNTUAADAAAAGAAYAF0AAAAYABgAdQAAAAkACQBIAAAABQAFAFEAAAAHAAcAVgAAAAAAAACNAAAABoIAAgUBKAoAAAAPRE9NUEVEQUdPQURNSU5FT0xFLVhQ+zKZ3FrzAN36j1+mF8qXJevSL3r8fNqp3RhnW7JTHptQ/X9aEDyJXow6haCsPLhN'
from Squid
ntlmssp: bad ascii: fffffffb
ntlmssp: bad ascii: ffffff99
ntlmssp: bad ascii: ffffffdc
ntlmssp: bad ascii: fffffff3
ntlmssp: bad ascii: 0000
ntlmssp: bad ascii: ffffffdd
ntlmssp: bad ascii: fffffffa
ntlmssp: bad ascii: ffffff8f
ntlmssp: bad ascii: ffffffa6
ntlmssp: bad ascii: 0017
ntlmssp: bad ascii: ffffffca
ntlmssp: bad ascii: ffffff97
ntlmssp: bad ascii: ffffffeb
ntlmssp: bad ascii: ffffffd2
ntlmssp: bad ascii: fffffffc
ntlmssp: bad ascii: ffffffda
ntlmssp: bad ascii: ffffffa9
ntlmssp: bad ascii: ffffffdd
ntlm_smb_lm_auth.cc(277): pid=5278 :Empty LM pass detection: user:
'ADMIN', ours:'(E�

�p�����(jw�B�����.Q�7��h(�', his: '�2��Z�' (length: 24)
ntlmssp: bad ascii: ffffffdd
ntlmssp: bad ascii: 0018
ntlmssp: bad ascii: ffffffb2
ntlmssp: bad ascii: 001e
ntlmssp: bad ascii: ffffff9b
ntlmssp: bad ascii: fffffffd
ntlmssp: bad ascii: 007f
ntlmssp: bad ascii: 0010
ntlmssp: bad ascii: ffffff89
ntlmssp: bad ascii: ffffff8c
ntlmssp: bad ascii: ffffff85
ntlmssp: bad ascii: ffffffa0
ntlmssp: bad ascii: ffffffac
ntlmssp: bad ascii: ffffffb8
ntlmssp: bad ascii: 0000
ntlm_smb_lm_auth.cc(288): pid=5278 :Empty NT pass detection: user:
'ADMIN', ours:'�����a����A

��2��', his: '�g[�S�P�Z<�^�:���<�M' (length: 24)
ntlm_smb_lm_auth.cc(299): pid=5278 :checking domain: 'DOMPEDAGO', user:
'ADMIN', pass='�2��Z�'

Regards,
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users