[squid-users] Squid 3.5.x and NTLM

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 28 12:18:03 UTC 2016


On 29/11/2016 12:26 a.m., FredB wrote:
> Hello
> 
> I wonder if I can use NTLM auth without any integration in AD ?

No, proper NTLM requires a DC allocated token be presented by the
client. This token is unique per TCP connection attempt. There is no
username/password available to Squid in NTLM.

> Just interrogate the AD for user/password, I can do that ?

The SMB_LM helper performs a downgrade attack on the NTLM protocol and
decrypts the resulting username and password. Then logs into AD using
Basic auth.
 This requires that the client supports the extremely insecure LM auth.
Any sane client will not.

Alternatively, the 'fake' helper accepts any credentials the client
presents as long as they are correctly formatted in NTLM syntax.


Amos



More information about the squid-users mailing list