[squid-users] ntlmssp: bad ascii: ffffffab (Lan Manager auth broken?)

Victor Sudakov sudakov at sibptus.tomsk.ru
Tue Oct 7 04:08:32 UTC 2014


James Harper wrote:
> > No, adding Basic is not an option because I will have to provide
> > special "proxy passwords" to the users, or make them enter their
> > Windows passwords by hand. This is highly undesirable. Once they
> > logon into Windows, they must have (or not have) Web access
> > transparently.
> > 
> > If you know how to achieve SSO with Basic auth, please share.
> > 
> 
> I have a few idea's for out-of-band SSO, some of which I have experimented with...

[dd]

> 
> 3. some bastardisation of identd. I've posted before about this.
> Identd assumes that the destination server is asking "who owns this
> connection" and so only gives port numbers because the IP is assumed
> from the ident connection (I have patched squid to fake the source
> address of the destination server so it works in transparent mode).
> Ident also has some serious security shortcomings, but they wouldn't
> be hard to solve. This new ident protocol would need:

I even know/use a couple of identd services for Windows,
http://sourceforge.net/projects/retinascan/ is a good one.

The sad irony is that ident lookups are also broken in squid34 (the
ident code leaks memory).

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru


More information about the squid-users mailing list