www/squid
www/squid
1
0
Fork 0
mirror of https://github.com/squid-cache/squid.git synced 2025-04-18 22:04:07 +03:00
Code

Remove basic_smb_lm_auth helper (#2014)

Browse Source 
This helper implementation is based on an old snapshot and adaptation of
Samba code. Samba project offers a more secure and better maintained
tool.
This commit is contained in:
Francesco Chemolli 2025-03-11 16:34:23 +00:00 committed by Squid Anubis
parent fd63bf56cd
commit 8f2566c72c
12 changed files with 7 additions and 467 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
configure.ac
View File

@ -2536,7 +2536,6 @@ AC_CONFIG_FILES([
src/auth/basic/RADIUS/Makefile
src/auth/basic/SASL/Makefile
src/auth/basic/SMB/Makefile
src/auth/basic/SMB_LM/Makefile
src/auth/basic/SSPI/Makefile
src/auth/digest/Makefile
src/auth/digest/eDirectory/Makefile

7
doc/release-notes/release-8.sgml.in
View File

@ -36,6 +36,9 @@ The Squid-@SQUID_RELEASE@ change history can be <url url="https://github.com/squ
<sect1>Helper changes
<p>
<descrip>
<p>Removed <em>basic_smb_lm_auth</em> NTLM authentication helper.
Use the <em>ntlm_auth</em> helper from the Samba project instead.
<p>Removed <em>ext_lm_group_acl</em> external acl helper. No product
currently on the market suports the LanManager protocol
in their default configuration.
@ -102,6 +105,10 @@ This section gives an account of those changes in three categories:
<sect1>Changes to existing options<label id="modifiedoptions">
<p>
<descrip>
<tag>--enable-auth-basic=</tag>
<p>Removed <em>SMB_LM</em> helper, in favour of the <em>ntlm_auth</em>
alternative offered by the Samba project.
<tag>--enable-auth-ntlm=</tag>
<p>Removed <em>SMB_LM</em> helper, in favour of the <em>ntlm_auth</em>
alternative offered by the Samba project.

1
src/auth/basic/Makefile.am
View File

@ -19,7 +19,6 @@ DIST_SUBDIRS = \
RADIUS \
SASL \
SMB \
SMB_LM \
SSPI
SUBDIRS = $(BASIC_AUTH_HELPERS)

27
src/auth/basic/SMB_LM/Makefile.am
View File

@ -1,27 +0,0 @@
## Copyright (C) 1996-2023 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.
##
include $(top_srcdir)/src/Common.am
libexec_PROGRAMS= basic_smb_lm_auth
basic_smb_lm_auth_SOURCES = \
msntauth.cc \
msntauth.h \
valid.cc \
valid.h
basic_smb_lm_auth_LDADD= \
$(top_builddir)/lib/smblib/libsmblib.la \
$(top_builddir)/lib/rfcnb/librfcnb.la \
$(top_builddir)/lib/libmiscencoding.la \
$(COMPAT_LIB) \
$(XTRA_LIBS)
EXTRA_DIST= \
msntauth-v2.0.lsm \
README.html \
required.m4

151
src/auth/basic/SMB_LM/README.html
View File

@ -1,151 +0,0 @@
<HTML>
<HEAD>
<TITLE>MSNTAUTH readme</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<!--
If you require this document in text form, download the
HTML-text package from http://members.tripod.com/stellarx.
-->
<H1>
MSNT Auth v3.0.0<BR>
Squid web proxy NT authentication module<BR>
Modified by the Squid HTTP Proxy team<BR>
Original release by Antonino Iannella, Stellar-X Pty Ltd<BR>
</H1>
<H2>Contents</H2>
<UL>
<LI> <A HREF="#introduction">Introduction</A>
<LI> <A HREF="#installation">Installation</A>
<LI> <A HREF="#configuration">Configuration</A>
<LI> <A HREF="#squid">Squid.conf changes</A>
<LI> <A HREF="#testing">Testing</A>
<LI> <A HREF="#contact">Support details</A>
</UL>
<A NAME="introduction"><H2>Introduction</H2>
<P>
This is an authentication module for the Squid proxy server
to use an NT domain server.
<P>
It originates from the Samba and SMB packages by Andrew Tridgell
and Richard Sharpe. It is sourced from the Pike
authentication module by William Welliver (hwellive@intersil.com),
and the SMB 1.0.1 libraries.
Releases up to version 2.0.3 were created by Antonino Iannella
(antonino@rager.com.au, http://stellarx.tripod.com).
The module is now distributed with Squid, and is maintained by the
Squid proxy team as an Open Source effort.
Msntauth is released under the GNU General Public License.
<P>
<i>basic_msnt_auth</i> follows the standard Squid basic authentication helper protocol.
See <a href="https://wiki.squid-cache.org/Features/AddonHelpers#basic-scheme"
>https://wiki.squid-cache.org/Features/AddonHelpers#basic-scheme</a> for details.
Problems are logged to syslog.
<P>
Msntauth works in environments with NT domain controllers on
Windows (TM) NT 4, 2000, and Samba. It only uses the ancient <i>Lanman</i> protocol,
the authenticating systems must be configured to accept it.
<A NAME="installation"><H2>Installation</H2>
<P>
Msntauth will be compiled when you compile Squid, using
their autoconf system.
Refer to Squid documentation for details.
If the build is suitable, you can skip this section.
<A NAME="configuration"><H2>Configuration</H2>
<P>
As of version 3.0.0, a configuration file is no longer needed.
The specification of the domains and domain controllers to use is
passed as a list of arguments on the command line.
The syntax is:
<PRE>
basic_msnt_auth domain1/domaincontroller1 [domain2/domaincontroller2 ...]
</PRE>
An arbitrary number of domain controllers can be specified, for any number of daomains.
Domain controllers will be attempted in the same order they are configured, until
any of them successfully authenticates the user passed by squid. If all domain
controllers fail to authenticate the user, then access is denied.
Domain controllers can be specified by their NetBios name.
<P>
<B>WARNING!</B> this means that a wrong password will be attempted a number of times.
Watch out for domain lock-out policies!
<A NAME="squid"><H2>Squid.conf changes</H2>
<P>
Refer to Squid documentation for the required changes to squid.conf.
You will need to set the following lines to enable authentication for
your access list -
<PRE>
acl <I>yourACL</I> proxy_auth REQUIRED
http_access allow password
http_access allow <I>yourACL</I>
http_access deny all
</PRE>
<P>
You will also need to review the following directives. The number of
msntauth children spawned is set with authenticate_children.
The number of children needed is site-dependent, so some
experimentation may be required to find the best number.
There should be no visible delay in performance with Squid once
msntauth is in use.
Please see <A href="http://www.squid-cache.org/Doc/config/auth_param/"
>http://www.squid-cache.org/Doc/config/auth_param/</A> or your <TT>squid.conf.default</TT>
file to check how to configure squid to make use of this helper.
<A NAME="testing"><H2>Testing</H2>
<P>
I strongly urge that Msntauth is tested prior to being used in a
production environment. It may behave differently on different platforms.
To test it, run it from the command line, and enter username and password
pairs separated by a space.
<P>
It should behave in the following way -
<PRE>
- Press ENTER to get an OK or ERR message.
- Make sure pressing CTRL-D behaves the same as a carriage return.
- Make sure pressing CTRL-C aborts the program.
- Test that entering no details does not result in an OK or ERR message.
- Test that entering an invalid username and password results in
an ERR message. Note that if NT guest user access is allowed on
the PDC, an OK message may be returned instead of ERR.
- Test that entering an valid username and password results in an OK message.
Try usernames which are and aren't in the denied/allowed user files,
if they're in use.
- Test that entering a guest username and password returns the correct response.
</PRE>
<P>
If the above didn't work as expected, you may need to modify the main()
function in msntauth.c. Inform the Squid maintainers of any problems.
<P>
Usernames and passwords are expected to be URL-encoded (see RFC 1738 for details)
<A NAME="contact"><H2>Support details</H2>
<P>
Refer to the Squid website at http://www.squid-cache.org.
You can submit problems or fixes using the Squid project's Bugzilla database.
</BODY>
</HTML>

13
src/auth/basic/SMB_LM/msntauth-v2.0.lsm
View File

@ -1,13 +0,0 @@
Begin3
Title: msntauth
Version: 2.0
Entered-date: 01SEP01
Description: Squid web proxy NT domain authentication module
Keywords: Squid WWW proxy SMB NT domain authentication module source
Author: antonino@rager.com.au (Antonino Iannella)
Maintained-by: antonino@rager.com.au (Antonino Iannella)
Primary-site: sunsite.unc.edu /pub/Linux/system/network/misc
msntauth-v2.0.tgz
Original-site: http://members.tripod.com/stellarx
Copying-policy: GPL
End

167
src/auth/basic/SMB_LM/msntauth.cc
View File

@ -1,167 +0,0 @@
/*
* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/*
* MSNT - Microsoft Windows NT domain squid authenticator module
* Version 2.0 by Stellar-X Pty Ltd, Antonino Iannella
* Sun Sep 2 14:39:53 CST 2001
*
* Modified to act as a Squid authenticator module.
* Removed all Pike stuff.
* Returns OK for a successful authentication, or ERR upon error.
*
* Uses code from -
* Andrew Tridgell 1997
* Richard Sharpe 1996
* Bill Welliver 1999
* Duane Wessels 2000 (wessels@squid-cache.org)
*
* Released under GNU Public License
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "squid.h"
#include "rfc1738.h"
#include "util.h"
#include <csignal>
#include <cstring>
#include <iostream>
#include <string>
#include <vector>
#include <syslog.h>
#include "auth/basic/SMB_LM/msntauth.h"
#include "auth/basic/SMB_LM/valid.h"
static char msntauth_version[] = "Msntauth v3.0.0 (C) 2 Sep 2001 Stellar-X Antonino Iannella.\nModified by the Squid HTTP Proxy team 2002-2014";
struct domaincontroller {
std::string domain;
std::string server;
};
typedef std::vector<domaincontroller> domaincontrollers_t;
domaincontrollers_t domaincontrollers;
static bool
validate_user(char *username, char *password)
{
for (domaincontrollers_t::iterator dc = domaincontrollers.begin(); dc != domaincontrollers.end(); ++dc) {
//std::cerr << "testing against " << dc->server << std::endl;
const int rv = Valid_User(username, password, dc->server.c_str(), nullptr, dc->domain.c_str());
//std::cerr << "check result: " << rv << std::endl;
if (rv == NTV_NO_ERROR)
return true;
}
return false;
}
static char instructions[] = "Usage instructions: basic_nsnt_auth <domainname>/<domaincontroller> [<domainname>/<domaincontroller> ...]";
static void
display_usage_instructions()
{
using std::endl;
std::cerr << msntauth_version << endl << instructions << endl << endl;
}
// arguments: domain/server_name [domain/server_name ...]
int
main(int argc, char **argv)
{
char username[256];
char password[256];
char wstr[256];
int err = 0;
openlog("basic_smb_lm_auth", LOG_PID, LOG_USER);
setbuf(stdout, nullptr);
for (int j = 1; j < argc; ++j) {
std::string arg = argv[j];
size_t pos=arg.find('/');
if (arg.find('/',pos+1) != std::string::npos) {
std::cerr << "Error: can't understand domain controller specification '"
<< arg << "'. Ignoring" << std::endl;
}
domaincontroller dc;
dc.domain = arg.substr(0,pos);
dc.server = arg.substr(pos+1);
if (dc.domain.length() == 0 || dc.server.length() == 0) {
std::cerr << "Error: invalid domain specification in '" << arg <<
"'. Ignoring." << std::endl;
exit(EXIT_FAILURE);
}
domaincontrollers.push_back(dc);
}
if (domaincontrollers.empty()) {
display_usage_instructions();
std::cerr << "Error: no domain controllers specified" << std::endl;
exit(EXIT_FAILURE);
}
while (1) {
int n;
/* Read whole line from standard input. Terminate on break. */
memset(wstr, '\0', sizeof(wstr));
if (fgets(wstr, 255, stdin) == NULL)
break;
/* ignore this line if we didn't get the end-of-line marker */
if (NULL == strchr(wstr, '\n')) {
err = 1;
continue;
}
if (err) {
syslog(LOG_WARNING, "oversized message");
puts("ERR");
err = 0;
continue;
}
/*
* extract username and password.
*/
username[0] = '\0';
password[0] = '\0';
n = sscanf(wstr, "%s %[^\n]", username, password);
if (2 != n) {
puts("ERR");
continue;
}
/* Check for invalid or blank entries */
if ((username[0] == '\0') || (password[0] == '\0')) {
puts("ERR");
continue;
}
rfc1738_unescape(username);
rfc1738_unescape(password);
if (validate_user(username, password)) {
puts("OK");
} else {
syslog(LOG_INFO, "'%s' login failed", username);
puts("ERR");
}
err = 0;
}
return EXIT_SUCCESS;
}

16
src/auth/basic/SMB_LM/msntauth.h
View File

@ -1,16 +0,0 @@
/*
* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
#ifndef SQUID_SRC_AUTH_BASIC_SMB_LM_MSNTAUTH_H
#define SQUID_SRC_AUTH_BASIC_SMB_LM_MSNTAUTH_H
extern int QueryServers(char *, char *);
extern void Check_forallowchange(void);
#endif /* SQUID_SRC_AUTH_BASIC_SMB_LM_MSNTAUTH_H */

14
src/auth/basic/SMB_LM/required.m4
View File

@ -1,14 +0,0 @@
## Copyright (C) 1996-2023 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.
##
# DONT build this helper on Windows
# DONT build this helper by default
AS_IF([test "x$auto_helpers" != "xyes"],[
BUILD_HELPER="SMB_LM"
AC_CHECK_HEADERS([w32api/windows.h windows.h],[BUILD_HELPER=""])
AS_IF([test "x$BUILD_HELPER" = "xSMB_LM"],[require_smblib="yes"])
])

55
src/auth/basic/SMB_LM/valid.cc
View File

@ -1,55 +0,0 @@
/*
* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
#include "squid.h"
#include "auth/basic/SMB_LM/valid.h"
#include "smblib/smblib.h"
#if HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#if HAVE_SYSLOG_H
#include <syslog.h>
#endif
// BACKUP is unused
int
Valid_User(char *USERNAME, char *PASSWORD, const char *SERVER, char *, const char *DOMAIN)
{
const char *supportedDialects[] = {"PC NETWORK PROGRAM 1.0",
"MICROSOFT NETWORKS 1.03",
"MICROSOFT NETWORKS 3.0",
"LANMAN1.0",
"LM1.2X002",
"Samba",
"NT LM 0.12",
"NT LANMAN 1.0",
NULL
};
SMB_Handle_Type con;
SMB_Init();
con = SMB_Connect_Server(nullptr, SERVER, DOMAIN);
if (con == NULL) {
return (NTV_SERVER_ERROR);
}
if (SMB_Negotiate(con, supportedDialects) < 0) { /* An error */
SMB_Discon(con, 0);
return (NTV_PROTOCOL_ERROR);
}
if (SMB_Logon_Server(con, USERNAME, PASSWORD, nullptr, 0) < 0) {
SMB_Discon(con, 0);
return (NTV_LOGON_ERROR);
}
SMB_Discon(con, 0);
return (NTV_NO_ERROR);
}

21
src/auth/basic/SMB_LM/valid.h
View File

@ -1,21 +0,0 @@
/*
* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
#ifndef SQUID_SRC_AUTH_BASIC_SMB_LM_VALID_H
#define SQUID_SRC_AUTH_BASIC_SMB_LM_VALID_H
/* SMB User verification function */
#define NTV_NO_ERROR 0
#define NTV_SERVER_ERROR 1
#define NTV_PROTOCOL_ERROR 2
#define NTV_LOGON_ERROR 3
int Valid_User(char *USERNAME, char *PASSWORD, const char *SERVER, char *BACKUP, const char *DOMAIN);
#endif /* SQUID_SRC_AUTH_BASIC_SMB_LM_VALID_H */

1
src/auth/basic/helpers.m4
View File

@ -18,7 +18,6 @@ AS_IF([test "x$enable_auth" != "xno"],[
SQUID_CHECK_HELPER([RADIUS],[auth/basic])
SQUID_CHECK_HELPER([SASL],[auth/basic])
SQUID_CHECK_HELPER([SMB],[auth/basic])
SQUID_CHECK_HELPER([SMB_LM],[auth/basic])
SQUID_CHECK_HELPER([SSPI],[auth/basic])
SQUID_CHECK_HELPER([fake],[auth/basic])
SQUID_CHECK_HELPER([getpwnam],[auth/basic])