Discussion:
NTLMV2 authentication;
Markus Moeller via curl-library
2018-11-10 15:04:06 UTC
Permalink
Hi,

I am trying to find out if curl support NTLMv2 auth and NTLM2SessionResponse (like HTTPClient
https://hc.apache.org/httpcomponents-client-ga/ntlm.html ) for Web and proxy auth. From what I read this is not (yet ? ) the case, but more Active Directory Administrators starting to disable the weaker auth methods i.e. I think it will be needed.

Can someone confirm the status please ?

Thank you
Markus
Marcel Raad via curl-library
2018-11-10 21:54:33 UTC
Permalink
Hi Markus,

(sorry, my Outlook can only reply properly to plain text mails)

support for NTLMv2 was added in version 7.36.0:
https://github.com/curl/curl/commit/86724581b6c02d160b52f817550cfdfc9c93af62

Marcel

From: curl-library <curl-library-***@cool.haxx.se> On Behalf Of Markus Moeller via curl-library
Sent: Samstag, 10. November 2018 16:04
To: curl-***@cool.haxx.se; curl-***@cool.haxx.se
Cc: Markus Moeller <***@moeller.plus.com>
Subject: NTLMV2 authentication;

Hi,

I am trying to find out if curl support NTLMv2 auth and NTLM2SessionResponse (like HTTPClient
https://hc.apache.org/httpcomponents-client-ga/ntlm.html ) for Web and proxy auth. From what I read this is not (yet ? ) the case, but more Active Directory Administrators starting to disable the weaker auth methods i.e. I think it will be needed.

Can someone confirm the status please ?

Thank you
Markus
Markus Moeller via curl-library
2018-11-17 17:30:20 UTC
Permalink
Hi Marcel,

Thank you for the pointer, but it seems not to be correctly implement.

I have attached a capture from IE vs. a capture from curl. IE works and curl fails. I did some minor modification to /lib/vauth/ntlm.c to ignore target_info_len after which it worked.


#if defined(USE_NTRESPONSES) && defined(USE_NTLM_V2)
if(ntlm->target_info_len) {
unsigned char ntbuffer[0x18];
unsigned char entropy[8];
unsigned char ntlmv2hash[0x18];


#if defined(USE_NTRESPONSES) && defined(USE_NTLM_V2)
if( 1 == 1 ) {
unsigned char ntbuffer[0x18];
unsigned char entropy[8];
unsigned char ntlmv2hash[0x18];


Now I don’t know what is the reason for this check in the code and why it makes it work.

Does anybody know ? Can it be fixed (assuming it is wrong as is ) ?

Thank you
Markus




From: Marcel Raad
Sent: Saturday, November 10, 2018 9:54 PM
To: libcurl development ; curl-***@cool.haxx.se
Cc: Markus Moeller
Subject: RE: NTLMV2 authentication;

Hi Markus,



(sorry, my Outlook can only reply properly to plain text mails)



support for NTLMv2 was added in version 7.36.0:

https://github.com/curl/curl/commit/86724581b6c02d160b52f817550cfdfc9c93af62



Marcel



From: curl-library <curl-library-***@cool.haxx.se> On Behalf Of Markus Moeller via curl-library
Sent: Samstag, 10. November 2018 16:04
To: curl-***@cool.haxx.se; curl-***@cool.haxx.se
Cc: Markus Moeller <***@moeller.plus.com>
Subject: NTLMV2 authentication;



Hi,



I am trying to find out if curl support NTLMv2 auth and NTLM2SessionResponse (like HTTPClient

https://hc.apache.org/httpcomponents-client-ga/ntlm.html ) for Web and proxy auth. From what I read this is not (yet ? ) the case, but more Active Directory Administrators starting to disable the weaker auth methods i.e. I think it will be needed.



Can someone confirm the status please ?



Thank you

Markus
Daniel Stenberg via curl-library
2018-11-17 17:42:03 UTC
Permalink
On Sat, 17 Nov 2018, Markus Moeller wrote:

(removed curl-users as a recepient)
Post by Markus Moeller via curl-library
Thank you for the pointer, but it seems not to be correctly implement.
That's basically the eternal state of NTLM in a nutshell...
Post by Markus Moeller via curl-library
I did some minor modification to /lib/vauth/ntlm.c to ignore target_info_len
after which it worked.
Can you perhaps make a full fledged PR out of this suggested change?
Post by Markus Moeller via curl-library
Now I don¢t know what is the reason for this check in the code and why it
makes it work.
Does anybody know ? Can it be fixed (assuming it is wrong as is ) ?
It is only code, I'm sure it can be fixed.

As to *why* it works like this, I would presume that the only safe way to
figure out is to backtrack in the commit history and see if the commit that
brought the change explained it, but I doubt it.

So, we're left to reading the code and trying to figure out why the check is
there... and when I try to, I fail to explain it. =(
--
/ daniel.haxx.se
Markus Moeller via curl-library
2018-12-09 23:24:03 UTC
Permalink
Hi

How can I progress the patch https://github.com/curl/curl/pull/3287 I
provided ?

Could others test against an AD which allows the different combinations and
in particular the last i.e DCs refuse LM and NTLM (accept only NTLMv2
authentication) to confirm the changes work in all cases ? It seems to work
for me.

MS client/DC options

Send LM & NTLM responses:
Clients use LM and NTLM authentication, and never use NTLMv2 session
security;
DCs accept LM, NTLM, and NTLMv2 authentication.

Send LM & NTLM - use NTLMv2 session security if negotiated:
Clients use LM and NTLM authentication, and use NTLMv2 session security if
server supports it;
DCs accept LM, NTLM, and NTLMv2 authentication.

Send NTLM response only:
Clients use NTLM authentication only, and use NTLMv2 session security if
server supports it;
DCs accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only:
Clients use NTLMv2 authentication only, and use NTLMv2 session security if
server supports it;
DCs accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only\refuse LM:
Clients use NTLMv2 authentication only, and use NTLMv2 session security if
server supports it;
DCs refuse LM (accept only NTLM and NTLMv2 authentication).

Send NTLMv2 response only\refuse LM & NTLM:
Clients use NTLMv2 authentication only, and use NTLMv2 session security if
server supports it;
DCs refuse LM and NTLM (accept only NTLMv2 authentication).


Thank you
Markus

-----Original Message-----
From: Daniel Stenberg via curl-library
Sent: Saturday, November 17, 2018 5:42 PM Newsgroups:
gmane.comp.web.curl.library
To: libcurl development
Cc: Daniel Stenberg ; Markus Moeller
Subject: Re: NTLMV2 authentication;

On Sat, 17 Nov 2018, Markus Moeller wrote:

(removed curl-users as a recepient)
Post by Markus Moeller via curl-library
Thank you for the pointer, but it seems not to be correctly implement.
That's basically the eternal state of NTLM in a nutshell...
Post by Markus Moeller via curl-library
I did some minor modification to /lib/vauth/ntlm.c to ignore
target_info_len
after which it worked.
Can you perhaps make a full fledged PR out of this suggested change?
Post by Markus Moeller via curl-library
Now I don’t know what is the reason for this check in the code and why it
makes it work.
Does anybody know ? Can it be fixed (assuming it is wrong as is ) ?
It is only code, I'm sure it can be fixed.

As to *why* it works like this, I would presume that the only safe way to
figure out is to backtrack in the commit history and see if the commit that
brought the change explained it, but I doubt it.

So, we're left to reading the code and trying to figure out why the check is
there... and when I try to, I fail to explain it. =(
--
/ daniel.haxx.se





-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html


-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se
Loading...