[squid-users] squid 5.2: ntlm_fake_auth refuse to valid credentials

Tue Nov 16 13:25:17 UTC 2021

Any tips,

Is someone using Fake NTLM with modern browsers ?

Le 11/11/2021 à 13:16, David Touzeau a écrit :
> Thanks Amos it will help understand something
>
> I think modern browser sending NTLMv2 as the ntlm_fake_auth 
> understanding only NTLMv1 ( perhaps )
>
> Using curl with --proxy-ntlm option is OK for squid as using browser 
> return allways a 407
> DO you know the limitation of ntlm_fake_auth according NTLM version.
> Is there a way to fix it ?
>
> ************* CURL ************
>
> [0000]  4E 54 4C 4D 53 53 50 00  01 00 00 00 06 82 08 00  NTLMSSP. 
> ........
> [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
> ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 NTLMSSP. ........
> [0010]  AE AA AA AA 06 82 08 00  15 3A CC 83 0B 80 7B 45 ........ .......E
> [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 ........ WORKGROU
> [0030]  50                                                  P
> ntlm_fake_auth.cc(170): pid=31874 :Got 'KK' from Squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00 NTLMSSP. ........
> [0010]  40 00 00 00 30 00 30 00  58 00 00 00 00 00 00 00 ....0.0. X.......
> [0020]  88 00 00 00 04 00 04 00  88 00 00 00 09 00 09 00 ........ ........
> [0030]  8C 00 00 00 00 00 00 00  00 00 00 00 06 82 08 00 ........ ........
> [0040]  EB C7 B7 11 26 62 FD 82  B0 45 68 62 E0 6C E6 A3 .....b.. .Ehb.l..
> [0050]  57 A7 E6 76 1C 7B 79 74  17 71 72 5B 72 38 DA 30 W..v..yt .qr.r8.0
> [0060]  06 4D 15 1F 9B D1 A2 A5  01 01 00 00 00 00 00 00 .M...... ........
> [0070]  80 38 3C 2A EA D6 D7 01  57 A7 E6 76 1C 7B 79 74 .8...... W..v..yt
> [0080]  00 00 00 00 00 00 00 00  74 6F 74 6F 6E 74 6C 6D ........ totontlm
> [0090]  70 72 6F 78 79 proxy
> ntlmauth.cc(244): pid=31874 :ntlm_unpack_auth: size of 149
> ntlmauth.cc(245): pid=31874 :ntlm_unpack_auth: flg 00088206
> ntlmauth.cc(246): pid=31874 :ntlm_unpack_auth: lmr o(64) l(24)
> ntlmauth.cc(247): pid=31874 :ntlm_unpack_auth: ntr o(88) l(48)
> ntlmauth.cc(248): pid=31874 :ntlm_unpack_auth: dom o(136) l(0)
> ntlmauth.cc(249): pid=31874 :ntlm_unpack_auth: usr o(136) l(4)
> ntlmauth.cc(250): pid=31874 :ntlm_unpack_auth: wst o(140) l(9)
> ntlmauth.cc(251): pid=31874 :ntlm_unpack_auth: key o(0) l(0)
> ntlmauth.cc(257): pid=31874 :ntlm_unpack_auth: Domain 't' (len=1).
> *ntlmauth.cc(268): pid=31874 :ntlm_unpack_auth: Username 'toton' (len=5).*
> ntlm_fake_auth.cc(210): pid=31874 :sending 'AF toton' to squid
>
>
> ********* But when connecting any modern browser to squid ***********
>
> [0000]  4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 08 A2  NTLMSSP. 
> ........
> [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
> [0020]  0A 00 63 45 00 00 00 0F ..cE....
> ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 NTLMSSP. ........
> [0010]  AE AA AA AA 07 82 08 A2  C9 F0 4C 07 E0 79 9F CF ........ ..L..y..
> [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 ........ WORKGROU
> [0030]  50                                                  P
> ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 08 A2 NTLMSSP. ........
> [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
> [0020]  0A 00 63 45 00 00 00 0F ..cE....
> ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 NTLMSSP. ........
> [0010]  AE AA AA AA 07 82 08 A2  49 12 A5 8A C8 17 3E 9D ........ I.......
> [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 ........ WORKGROU
> [0030]  50                                                  P
> ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 08 A2 NTLMSSP. ........
> [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
> [0020]  0A 00 63 45 00 00 00 0F ..cE....
> ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 NTLMSSP. ........
> [0010]  AE AA AA AA 07 82 08 A2  09 6D 48 E6 12 9C 4B 30 ........ .mH...K0
> [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 ........ WORKGROU
> [0030]  50                                                  P
> ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 08 A2 NTLMSSP. ........
> [0010]  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
> [0020]  0A 00 63 45 00 00 00 0F ..cE....
> ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with data:
> [0000]  4E 54 4C 4D 53 53 50 00  02 00 00 00 09 00 09 00 NTLMSSP. ........
> [0010]  AE AA AA AA 07 82 08 A2  F5 F6 8C B4 16 B9 20 CD ........ ........
> [0020]  00 00 00 00 00 00 3A 00  57 4F 52 4B 47 52 4F 55 ........ WORKGROU
>
>
>
> Le 11/11/2021 à 08:40, Amos Jeffries a écrit :
>> On 11/11/21 14:12, David Touzeau wrote:
>>> Hi,
>>> i would like to use ntlm_fake_auth but it seems Squid refuse to 
>>> switch to authenticated user and return a 407 to the browser and 
>>> squid never accept  credentials.
>>>
>>> What i missing ?
>>>
>>> Configuration seems simple:
>>> auth_param ntlm program /lib/squid3/ntlm_fake_auth -v
>>> auth_param ntlm children 20 startup=5 idle=1 concurrency=0 
>>> queue-size=80 on-persistent-overload=ERR
>>> acl AUTHENTICATED proxy_auth REQUIRED
>>> http_access deny  !AUTHENTICATED
>>>
>>> Here the debug mode;
>>>
>>
>> The log you presented shows the helper delivering a TT response to 
>> Squid. Which is NTLM step 2 response token for a 407 challenge response.
>> That is only sent if there were not auth headers received from the 
>> client - which is correct per your config shown.
>>
>> The log snippet stops before Squid sends that response to the client, 
>> so whatever follows is unknown.
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20211116/66730e09/attachment.htm>