curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: NTLMV2 authentication;

From: Markus Moeller via curl-library <curl-library_at_cool.haxx.se>
Date: Sun, 9 Dec 2018 23:24:03 -0000

Hi

How can I progress the patch https://github.com/curl/curl/pull/3287 I
provided ?

Could others test against an AD which allows the different combinations and
in particular the last i.e DCs refuse LM and NTLM (accept only NTLMv2
authentication) to confirm the changes work in all cases ? It seems to work
for me.

MS client/DC options

Send LM & NTLM responses:
Clients use LM and NTLM authentication, and never use NTLMv2 session
security;
DCs accept LM, NTLM, and NTLMv2 authentication.

Send LM & NTLM - use NTLMv2 session security if negotiated:
Clients use LM and NTLM authentication, and use NTLMv2 session security if
server supports it;
DCs accept LM, NTLM, and NTLMv2 authentication.

Send NTLM response only:
Clients use NTLM authentication only, and use NTLMv2 session security if
server supports it;
DCs accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only:
Clients use NTLMv2 authentication only, and use NTLMv2 session security if
server supports it;
DCs accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only\refuse LM:
Clients use NTLMv2 authentication only, and use NTLMv2 session security if
server supports it;
DCs refuse LM (accept only NTLM and NTLMv2 authentication).

Send NTLMv2 response only\refuse LM & NTLM:
Clients use NTLMv2 authentication only, and use NTLMv2 session security if
server supports it;
DCs refuse LM and NTLM (accept only NTLMv2 authentication).

Thank you
Markus

-----Original Message-----
From: Daniel Stenberg via curl-library
Sent: Saturday, November 17, 2018 5:42 PM Newsgroups:
gmane.comp.web.curl.library
To: libcurl development
Cc: Daniel Stenberg ; Markus Moeller
Subject: Re: NTLMV2 authentication;

On Sat, 17 Nov 2018, Markus Moeller wrote:

(removed curl-users as a recepient)

> Thank you for the pointer, but it seems not to be correctly implement.

That's basically the eternal state of NTLM in a nutshell...

> I did some minor modification to /lib/vauth/ntlm.c to ignore
> target_info_len
> after which it worked.

Can you perhaps make a full fledged PR out of this suggested change?

> Now I don’t know what is the reason for this check in the code and why it
> makes it work.
>
> Does anybody know ? Can it be fixed (assuming it is wrong as is ) ?

It is only code, I'm sure it can be fixed.

As to *why* it works like this, I would presume that the only safe way to
figure out is to backtrack in the commit history and see if the commit that
brought the change explained it, but I doubt it.

So, we're left to reading the code and trying to figure out why the check is
there... and when I try to, I fail to explain it. =(

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html 
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2018-12-10