Re: SPNEGO in Squid

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: Wed, 14 Jul 2004 00:12:14 +1000

On Tue, 2004-07-13 at 08:07, Henrik Nordstrom wrote:
> On Mon, 12 Jul 2004, Andrew Bartlett wrote:
>
> > I'm about to dive head-long into writing the SPNEGO support for Squid,
> > unless I can somehow bribe a real squid dev onto the task.
>
> Great!
>
> I am still trying to allocate time for this myself. Main hinderance is
> that the NT testbed I had with an AD domain unfortunately is no more which
> somewhat complicates testing..

Well, my primary reason for doing Negotiate support requires no NT, so
don't let that be a hinderence :-)

> > SPENGO in Squid is an interesting point - as far as I understand it,
> > SPNEGO (Negotiate) HTTP support is not specified (in terms of the RFC)
> > to a proxy server, only to a HTTP origin server. I see no reason for
> > this silly restriction, and I'm going to play with Mozilla and IE to see
> > what we can make them do. (Mozilla just gained SPENGO via SSPI,
> > including transparent NTLM).
>
> Fully agree. I do remember asking about this when the draft was released
> and from what I can remember I was given the answer that the draft only
> documents what was implemented by Microsoft to date of the draft and that
> "Negotiate" to proxies may well appear in later versions.

Now it starts to make sense :-)

> >From a look at the protocol there is absolutely nothing which stops
> "Negotiate" or SPNEGO from being used in proxy authentication.
>
> > So, I am trying to follow the advise offered in the programming guide,
> > which says to copy the closest auth module, and go. Does the list have
> > any particular tricks or traps I should know about?
>
> None other than that the closest is the ntlm module which is a bit of an
> ugly mess due to the (slightly broken) support for challenge reuse which
> will be of no use and only hinderance to implementing "Negotiate" support.

Yes - I've tried to understand it, but it seems very tied to the idea of
exactly 3 legs. Negotiate can have 1 - 4 legs, or even more.

> > I realise that new code should be in Squid3 - but is Squid 2.5's NTLM
> > code more mature?
>
> Currenly the Squid 2.5 NTLM code is more mature, but the problematic areas
> is in relation to the challenge reuse and response caching which
> isn't really of any use here so you should not need to worry so much about
> this.
>
> It should be OK to start loosely from the ntlm module, mostly as a
> template for an authentication module and some hints on how the stateful
> helper system works.. if you throw away most of the inner guts and
> cachings of the ntlm module and you should have a pretty clean plate to
> work from. This can be dome in either 2.5 or 3, but if done in 2.5 then
> some work will need to be duplicated to port to 3 so I would recommend 3.

It's lines like:

    fatal ("unusable");

That scare me about Squid3 :-). I'm easy in the Samba code, but Squid
just isn't something I know much about.

I could really do with some help at least identifying the 'new auth
header', 'new connection' and 'next state from helper' functions. From
there, it really *should* be simple :-)

I can't tell which magic state is needed, and which is fluff...

I'll have a Mozilla-compatible ntlm_auth mode available soon, that
allows fallback to GSSAPI, if SPNEGO isn't selected by the client
available in the very near future.

Otherwise, Mozilla on windows, should work with SPNEGO, with the Samba3
ntlm_auth.

Thanks,

Andrew Bartlett

Received on Tue Jul 13 2004 - 08:12:26 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 31 2004 - 12:00:03 MDT