<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#464646" bgcolor="#FFFFFF">
<font face="Arial">Any tips, <br>
<br>
Is someone using Fake NTLM with modern browsers ?<br>
</font><br>
<div class="moz-cite-prefix">Le 11/11/2021 à 13:16, David Touzeau a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:913abf20-f525-52c5-3933-63a5d19478a2@articatech.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<font face="Arial">Thanks Amos it will help understand something<br>
<br>
I think modern browser sending NTLMv2 as the ntlm_fake_auth
understanding only NTLMv1 ( perhaps )<br>
<br>
Using curl with --proxy-ntlm option is OK for squid as using
browser return allways a 407<br>
DO you know the limitation of </font><font face="Arial"><font
face="Arial">ntlm_fake_auth </font>according NTLM version.<br>
Is there a way to fix it ?<br>
<br>
************* CURL ************<br>
</font><br>
<div data-pm-slice="1 1 []" data-en-clipboard="true">[0000] 4E 54
4C 4D 53 53 50 00 01 00 00 00 06 82 08 00 NTLMSSP. ........</div>
<div>[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
........ ........</div>
<div>ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00
NTLMSSP. ........</div>
<div>[0010] AE AA AA AA 06 82 08 00 15 3A CC 83 0B 80 7B 45
........ .......E</div>
<div>[0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55
........ WORKGROU</div>
<div>[0030] 50 P</div>
<div>ntlm_fake_auth.cc(170): pid=31874 :Got 'KK' from Squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00
NTLMSSP. ........</div>
<div>[0010] 40 00 00 00 30 00 30 00 58 00 00 00 00 00 00 00
....0.0. X.......</div>
<div>[0020] 88 00 00 00 04 00 04 00 88 00 00 00 09 00 09 00
........ ........</div>
<div>[0030] 8C 00 00 00 00 00 00 00 00 00 00 00 06 82 08 00
........ ........</div>
<div>[0040] EB C7 B7 11 26 62 FD 82 B0 45 68 62 E0 6C E6 A3
.....b.. .Ehb.l..</div>
<div>[0050] 57 A7 E6 76 1C 7B 79 74 17 71 72 5B 72 38 DA 30
W..v..yt .qr.r8.0</div>
<div>[0060] 06 4D 15 1F 9B D1 A2 A5 01 01 00 00 00 00 00 00
.M...... ........</div>
<div>[0070] 80 38 3C 2A EA D6 D7 01 57 A7 E6 76 1C 7B 79 74
.8...... W..v..yt</div>
<div>[0080] 00 00 00 00 00 00 00 00 74 6F 74 6F 6E 74 6C 6D
........ totontlm</div>
<div>[0090] 70 72 6F 78 79
proxy</div>
<div>ntlmauth.cc(244): pid=31874 :ntlm_unpack_auth: size of 149</div>
<div>ntlmauth.cc(245): pid=31874 :ntlm_unpack_auth: flg 00088206</div>
<div>ntlmauth.cc(246): pid=31874 :ntlm_unpack_auth: lmr o(64)
l(24)</div>
<div>ntlmauth.cc(247): pid=31874 :ntlm_unpack_auth: ntr o(88)
l(48)</div>
<div>ntlmauth.cc(248): pid=31874 :ntlm_unpack_auth: dom o(136)
l(0)</div>
<div>ntlmauth.cc(249): pid=31874 :ntlm_unpack_auth: usr o(136)
l(4)</div>
<div>ntlmauth.cc(250): pid=31874 :ntlm_unpack_auth: wst o(140)
l(9)</div>
<div>ntlmauth.cc(251): pid=31874 :ntlm_unpack_auth: key o(0) l(0)</div>
<div>ntlmauth.cc(257): pid=31874 :ntlm_unpack_auth: Domain 't'
(len=1).</div>
<div><b>ntlmauth.cc(268): pid=31874 :ntlm_unpack_auth: Username
'toton' (len=5).</b></div>
<div>ntlm_fake_auth.cc(210): pid=31874 :sending 'AF toton' to
squid</div>
<font face="Arial"><br>
</font><br>
********* But when connecting any modern browser to squid
***********<br>
<br>
<div data-pm-slice="1 1 []" data-en-clipboard="true">[0000] 4E 54
4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2 NTLMSSP. ........</div>
<div>[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
........ ........</div>
<div>[0020] 0A 00 63 45 00 00 00 0F
..cE.... </div>
<div>ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00
NTLMSSP. ........</div>
<div>[0010] AE AA AA AA 07 82 08 A2 C9 F0 4C 07 E0 79 9F CF
........ ..L..y..</div>
<div>[0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55
........ WORKGROU</div>
<div>[0030] 50 P</div>
<div>ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2
NTLMSSP. ........</div>
<div>[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
........ ........</div>
<div>[0020] 0A 00 63 45 00 00 00 0F
..cE.... </div>
<div>ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00
NTLMSSP. ........</div>
<div>[0010] AE AA AA AA 07 82 08 A2 49 12 A5 8A C8 17 3E 9D
........ I.......</div>
<div>[0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55
........ WORKGROU</div>
<div>[0030] 50 P</div>
<div>ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2
NTLMSSP. ........</div>
<div>[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
........ ........</div>
<div>[0020] 0A 00 63 45 00 00 00 0F
..cE.... </div>
<div>ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00
NTLMSSP. ........</div>
<div>[0010] AE AA AA AA 07 82 08 A2 09 6D 48 E6 12 9C 4B 30
........ .mH...K0</div>
<div>[0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55
........ WORKGROU</div>
<div>[0030] 50 P</div>
<div>ntlm_fake_auth.cc(170): pid=31874 :Got 'YR' from Squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 A2
NTLMSSP. ........</div>
<div>[0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
........ ........</div>
<div>[0020] 0A 00 63 45 00 00 00 0F
..cE.... </div>
<div>ntlm_fake_auth.cc(197): pid=31874 :sending 'TT' to squid with
data:</div>
<div>[0000] 4E 54 4C 4D 53 53 50 00 02 00 00 00 09 00 09 00
NTLMSSP. ........</div>
<div>[0010] AE AA AA AA 07 82 08 A2 F5 F6 8C B4 16 B9 20 CD
........ ........</div>
<div>[0020] 00 00 00 00 00 00 3A 00 57 4F 52 4B 47 52 4F 55
........ WORKGROU</div>
<br>
<br>
<br>
<div class="moz-cite-prefix">Le 11/11/2021 à 08:40, Amos Jeffries
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:e2c4f5fa-b797-b532-ccfe-3c40f52e01fe@treenet.co.nz">On
11/11/21 14:12, David Touzeau wrote: <br>
<blockquote type="cite">Hi, <br>
i would like to use ntlm_fake_auth but it seems Squid refuse
to switch to authenticated user and return a 407 to the
browser and squid never accept credentials. <br>
<br>
What i missing ? <br>
<br>
Configuration seems simple: <br>
auth_param ntlm program /lib/squid3/ntlm_fake_auth -v <br>
auth_param ntlm children 20 startup=5 idle=1 concurrency=0
queue-size=80 on-persistent-overload=ERR <br>
acl AUTHENTICATED proxy_auth REQUIRED <br>
http_access deny !AUTHENTICATED <br>
<br>
Here the debug mode; <br>
<br>
</blockquote>
<br>
The log you presented shows the helper delivering a TT response
to Squid. Which is NTLM step 2 response token for a 407
challenge response. <br>
That is only sent if there were not auth headers received from
the client - which is correct per your config shown. <br>
<br>
The log snippet stops before Squid sends that response to the
client, so whatever follows is unknown. <br>
<br>
Amos <br>
_______________________________________________ <br>
squid-users mailing list <br>
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:squid-users@lists.squid-cache.org"
moz-do-not-send="true">squid-users@lists.squid-cache.org</a> <br>
<a class="moz-txt-link-freetext"
href="http://lists.squid-cache.org/listinfo/squid-users"
moz-do-not-send="true">http://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
</body>
</html>