[squid-dev] Squid 3.5.11 ntlm helper crashes
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 6 12:06:24 UTC 2016
On 6/01/2016 11:49 p.m., manojmaybe wrote:
> I have used squid 3.3.13 is used as proxy server with ntlm authentication.
> For detecting client ip in ntlm messages i have write a patch in squid
> source that pass client ip to ntlm helper messages.
What do you mean "detecting client IP in NTLM messages" ?
IP address of the client plays no part in NTLM authentication. The
security credentials token is supposed to be generated unique with each
new TCP connection regardless of IP. Squid ties the resulting
credentials to the TCP connection state.
If you are using IP address to speed up NTLM and "bypass" auth system
limits. Then you are only destrying the one last remainign security
protectino NTLM offers by adding replay vulnerability to the already
weak NTLM crypto problems.
<snip>
>
> This patch is successfully running.
> Currently i upgraded to squid 3.5.11 with ntlm authentication. In 3.5.11
> version an squid directive is used to pass key extras to ntlm helpers such
> as client ip, i used shown below
There are 2 differences between the patch and the key-extras feature.
1) key-extras places the exatra bits in separate (space delimited)
fields after the credentials token.
2) key-extras does *not* embed the IP into the auth token used to verify
future requests on the same persistent connection.
>
> auth_param ntlm program /usr/local/helpers/ntlmauthenticator
> auth_param ntlm children 3000 startup=0 idle=0
idle should not be 0. It is the number of helpers to start when more are
needed.
> auth_param ntlm keep_alive on
> auth_param ntlm key_extras "%>a"
>
> This configuration directive i used to pass client ip to my ntlm helper, and
> also changes made on ntlm helper program for handling ntlm hand shake
> messages. But after few houres (nearly 3 hour ) running the squid, the ntlm
> helper is crashed or sometimes squid is crashed and restarted when more than
> 1000 request/second is received (as per squid cache manager)
How?
The helper crashing sounds like your helper code is broken.
If any helper crashes often enough Squid will self-terminate (not
"crash") to protect itself and any other services operating on the machine.
Amos
More information about the squid-dev
mailing list