On Fri, 27 Oct 2000, Robert Collins wrote:
> Getting a new challenge on *every request* provides the best security (given
> NTLM's capabilities :-]) but means that the challenge-authenticate cache
> will never receive a cache hit. Using the same challenge for a few minutes
Right, but that was not what I meant. Sorry, I probably should have made
myself clearer: Not a new challenge for every request. But instead a new
challenge for every request that misses the cache. Or, looked at from the
other side: A new challenge for every request to the DC (not from squid to
the helper).
As I interprete the source, currently the same challenge is used for every
authentication to the DC (until connection fails, then it gets a new one,
unfortunately this is too late in the authentication handshake then; so
this attempt is doomed to fail). Securitywise, this looks pretty odd to
me.. Not that that would account for anything ;-).
From the logs I have the feeling that the DC dislikes that. It wants a new
connection and challenge for every user.
From the hack^H^H^H^Hpatch I send very shortly before this should be
clear.
Michael.
-- Michael Weller: eowmob@exp-math.uni-essen.de, eowmob@ms.exp-math.uni-essen.de, or even mat42b@spi.power.uni-essen.de. If you encounter an eowmob account on any machine in the net, it's very likely it's me. -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Oct 27 2000 - 05:14:15 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:00 MST