cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: NTLM Authentication

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 24 Jun 2003 16:43:58 +0200 (CEST)

On Tue, 24 Jun 2003 eglass1_at_attbi.com wrote:

I bow my head humbly and thank you for your insights and help. Your help makes
libcurl better!

> a) You can force OEM by leaving out the Unicode flag. Almost all
> servers support Unicode, so if you specify both Unicode will typically be
> selected by the server. If you don't have Unicode tools available forcing
> OEM is typically easier to deal with.

Right, I have no unicode tools so using OEM will indeed be easier.

[snip]

> This leaves you with 0x00000202 for the flags. This further simplifies
> things because you can send an empty domain/workstation name, which makes
> the entire type 1 message a constant.

Yeps, I just tried this and it works fine!

> You would use the same flags in the type 3 message; in fact, you could
> probably get away with using the Win9x-style type 3 message (which leaves
> off the session key and flags altogether).

The weird thing here is that I tried sending the username "unicodified" in the
type-3 (even though I set it to OEM in the type-1) and it still worked. Then I
made it an OEM one and that works too...

> 2) You don't *have* to send both the LM and the NTLM responses; either one
> by itself is feasible. In fact, using just the NTLM response is more secure
> (LM is fairly easy to crack). However, without the LM response you won't be
> able to connect to Win9x-based servers (typically "Personal Web Server",
> although there aren't too many of those left anymore). Some implementations
> (notably Jakarta's HttpClient and Win9x browsers) just send the LM response
> with an NT response of length 0.

Cool. This works too when I run tests on the only live test-server I know
(thanks again Mathias!)

Want some feedback on your document? I'll give you some:

* It is truly excellent and filled with all those tiny details that weren't
  specified anywhere else.

* The hash algorithms are tricky to follow as they're written in plain
  english. The kind of pseudo-code available in the innovation page is a lot
  easier (at least to my thick head). In fact, you could even include working
  C code (using OpenSSL or similar).

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Received on 2003-06-24