[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    kio_http NTLM auth problem and possible patch.
From:       Simone Gotti <simone.gotti () email ! it>
Date:       2005-06-07 15:54:56
Message-ID: 200506071754.56789.simone.gotti () email ! it
[Download RAW message or body]

Browsing a site on a customer intranet I noticed that I cannot access it via 
NTLM with konqueror but it worked well with mozilla. I tcpdumped the HTTP 
packets and noticed that the problem is that kio_http uses NTLMv2 while 
mozilla uses NTLMv1 (maybe it doesn't support v2). The v2 auth isn't 
recognized by the server and the auth fails.

The problem is that, as the TargetInfo field in the challenge string isn't 
empty, KNTLM::getAuth tries to use, without succes, NTLMv2. 
I read some docs but I didn't found a way to really check if NTLMv2 is 
supported. Forcing kntlm to use NTLMv1 (brutally commenting  the NTLMv2 code 
made it work).

I'm doing a patch for kio_http/kntlm but I'd like to do some questions on how 
the whole thing can be implemented:

1) bool KNTLM::getAuth( QByteArray &auth, const QByteArray &challenge, const 
QString &user, 
  const QString &password, const QString &domain, const QString &workstation, 
  bool forceNTLM, bool forceNTLMv2 )

With the current API you cannot force NTLMv1 instead of NTLMv2 as the 
"forceNTLM" flag means that it'll just use NTLMv1 or v2 and not simple LM or 
LMv2.

A solution without api change will be to change the line:

if ( forceNTLMv2  || !targetInfo.isEmpty() /* may support NTLMv2 */ ) {

to

if ( forceNTLMv2  ) {

But in this way if I don't set forceNTLMv2 to true, NTLMv2 or LMv2 will never 
be automatically used. 

A change to the api with an additional option like "bool dontuseNTLMv2" or 
"bool useOnlyNTLMv1" will be better.

2) kio_http:

	Make a double run, first try using NTLMv2/LMv2 (passing forceNTLMv2=true to 
KNTLM::getAuth) and if it fails use NTLMv1/LMv1. (I don't know if I can do it 
in the same http connection as keepalive is active, or in 2 separate http 
connections).


When I finished my patch I'll post and commit it (if accepted), but I'd be 
very happy to ear suggestions from people more experts than me on this side.


Bye!
-- 
Simone Gotti

KDEBluetooth developer.
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic