From 8f2566c72cf10c5200c1d81996252af0eaed079b Mon Sep 17 00:00:00 2001 From: Francesco Chemolli <5175948+kinkie@users.noreply.github.com> Date: Tue, 11 Mar 2025 16:34:23 +0000 Subject: [PATCH] Remove basic_smb_lm_auth helper (#2014) This helper implementation is based on an old snapshot and adaptation of Samba code. Samba project offers a more secure and better maintained tool. --- configure.ac | 1 - doc/release-notes/release-8.sgml.in | 7 + src/auth/basic/Makefile.am | 1 - src/auth/basic/SMB_LM/Makefile.am | 27 ---- src/auth/basic/SMB_LM/README.html | 151 --------------------- src/auth/basic/SMB_LM/msntauth-v2.0.lsm | 13 -- src/auth/basic/SMB_LM/msntauth.cc | 167 ------------------------ src/auth/basic/SMB_LM/msntauth.h | 16 --- src/auth/basic/SMB_LM/required.m4 | 14 -- src/auth/basic/SMB_LM/valid.cc | 55 -------- src/auth/basic/SMB_LM/valid.h | 21 --- src/auth/basic/helpers.m4 | 1 - 12 files changed, 7 insertions(+), 467 deletions(-) delete mode 100644 src/auth/basic/SMB_LM/Makefile.am delete mode 100644 src/auth/basic/SMB_LM/README.html delete mode 100644 src/auth/basic/SMB_LM/msntauth-v2.0.lsm delete mode 100644 src/auth/basic/SMB_LM/msntauth.cc delete mode 100644 src/auth/basic/SMB_LM/msntauth.h delete mode 100755 src/auth/basic/SMB_LM/required.m4 delete mode 100644 src/auth/basic/SMB_LM/valid.cc delete mode 100644 src/auth/basic/SMB_LM/valid.h diff --git a/configure.ac b/configure.ac index 188b1d65b2..c63f92f3e9 100644 --- a/configure.ac +++ b/configure.ac @@ -2536,7 +2536,6 @@ AC_CONFIG_FILES([ src/auth/basic/RADIUS/Makefile src/auth/basic/SASL/Makefile src/auth/basic/SMB/Makefile - src/auth/basic/SMB_LM/Makefile src/auth/basic/SSPI/Makefile src/auth/digest/Makefile src/auth/digest/eDirectory/Makefile diff --git a/doc/release-notes/release-8.sgml.in b/doc/release-notes/release-8.sgml.in index f6e04241a2..7ed6b73555 100644 --- a/doc/release-notes/release-8.sgml.in +++ b/doc/release-notes/release-8.sgml.in @@ -36,6 +36,9 @@ The Squid-@SQUID_RELEASE@ change history can be

+ --enable-auth-basic= +

Removed SMB_LM helper, in favour of the ntlm_auth + alternative offered by the Samba project. + --enable-auth-ntlm=

Removed SMB_LM helper, in favour of the ntlm_auth alternative offered by the Samba project. diff --git a/src/auth/basic/Makefile.am b/src/auth/basic/Makefile.am index 54bdc47588..f004532b58 100644 --- a/src/auth/basic/Makefile.am +++ b/src/auth/basic/Makefile.am @@ -19,7 +19,6 @@ DIST_SUBDIRS = \ RADIUS \ SASL \ SMB \ - SMB_LM \ SSPI SUBDIRS = $(BASIC_AUTH_HELPERS) diff --git a/src/auth/basic/SMB_LM/Makefile.am b/src/auth/basic/SMB_LM/Makefile.am deleted file mode 100644 index 991ccbfe98..0000000000 --- a/src/auth/basic/SMB_LM/Makefile.am +++ /dev/null @@ -1,27 +0,0 @@ -## Copyright (C) 1996-2023 The Squid Software Foundation and contributors -## -## Squid software is distributed under GPLv2+ license and includes -## contributions from numerous individuals and organizations. -## Please see the COPYING and CONTRIBUTORS files for details. -## - -include $(top_srcdir)/src/Common.am - -libexec_PROGRAMS= basic_smb_lm_auth - -basic_smb_lm_auth_SOURCES = \ - msntauth.cc \ - msntauth.h \ - valid.cc \ - valid.h -basic_smb_lm_auth_LDADD= \ - $(top_builddir)/lib/smblib/libsmblib.la \ - $(top_builddir)/lib/rfcnb/librfcnb.la \ - $(top_builddir)/lib/libmiscencoding.la \ - $(COMPAT_LIB) \ - $(XTRA_LIBS) - -EXTRA_DIST= \ - msntauth-v2.0.lsm \ - README.html \ - required.m4 diff --git a/src/auth/basic/SMB_LM/README.html b/src/auth/basic/SMB_LM/README.html deleted file mode 100644 index 39aac6490f..0000000000 --- a/src/auth/basic/SMB_LM/README.html +++ /dev/null @@ -1,151 +0,0 @@ - - -MSNTAUTH readme - - - - - -

-MSNT Auth v3.0.0
-Squid web proxy NT authentication module
-Modified by the Squid HTTP Proxy team
-Original release by Antonino Iannella, Stellar-X Pty Ltd
-

- -

Introduction -
Installation -
Configuration -
Squid.conf changes -
Testing -
Support details -

- -

Introduction

- -

-This is an authentication module for the Squid proxy server -to use an NT domain server. - -

-It originates from the Samba and SMB packages by Andrew Tridgell -and Richard Sharpe. It is sourced from the Pike -authentication module by William Welliver (hwellive@intersil.com), -and the SMB 1.0.1 libraries. -Releases up to version 2.0.3 were created by Antonino Iannella -(antonino@rager.com.au, http://stellarx.tripod.com). -The module is now distributed with Squid, and is maintained by the -Squid proxy team as an Open Source effort. -Msntauth is released under the GNU General Public License. - -

-basic_msnt_auth follows the standard Squid basic authentication helper protocol. -See https://wiki.squid-cache.org/Features/AddonHelpers#basic-scheme for details. -Problems are logged to syslog. - -

-Msntauth works in environments with NT domain controllers on -Windows (TM) NT 4, 2000, and Samba. It only uses the ancient Lanman protocol, -the authenticating systems must be configured to accept it. - -

Installation

- -

-Msntauth will be compiled when you compile Squid, using -their autoconf system. -Refer to Squid documentation for details. -If the build is suitable, you can skip this section. - -

Configuration

- -

-As of version 3.0.0, a configuration file is no longer needed. -The specification of the domains and domain controllers to use is -passed as a list of arguments on the command line. - -The syntax is: -

-basic_msnt_auth domain1/domaincontroller1 [domain2/domaincontroller2 ...]
-

-An arbitrary number of domain controllers can be specified, for any number of daomains. -Domain controllers will be attempted in the same order they are configured, until -any of them successfully authenticates the user passed by squid. If all domain -controllers fail to authenticate the user, then access is denied. -Domain controllers can be specified by their NetBios name. - -

-WARNING! this means that a wrong password will be attempted a number of times. -Watch out for domain lock-out policies! - -

Squid.conf changes

- -

-Refer to Squid documentation for the required changes to squid.conf. -You will need to set the following lines to enable authentication for -your access list - - -

-  acl yourACL proxy_auth REQUIRED
-  http_access allow password
-  http_access allow yourACL
-  http_access deny all
-

- -

-You will also need to review the following directives. The number of -msntauth children spawned is set with authenticate_children. -The number of children needed is site-dependent, so some -experimentation may be required to find the best number. -There should be no visible delay in performance with Squid once -msntauth is in use. - -Please see http://www.squid-cache.org/Doc/config/auth_param/ or your squid.conf.default -file to check how to configure squid to make use of this helper. - -

Testing

- -

-I strongly urge that Msntauth is tested prior to being used in a -production environment. It may behave differently on different platforms. -To test it, run it from the command line, and enter username and password -pairs separated by a space. - -

-It should behave in the following way - -

- - Press ENTER to get an OK or ERR message.
- - Make sure pressing CTRL-D behaves the same as a carriage return.
- - Make sure pressing CTRL-C aborts the program.
- - Test that entering no details does not result in an OK or ERR message.
- - Test that entering an invalid username and password results in
-   an ERR message. Note that if NT guest user access is allowed on
-   the PDC, an OK message may be returned instead of ERR.
- - Test that entering an valid username and password results in an OK message.
-   Try usernames which are and aren't in the denied/allowed user files,
-   if they're in use.
- - Test that entering a guest username and password returns the correct response.
-

- -

-If the above didn't work as expected, you may need to modify the main() -function in msntauth.c. Inform the Squid maintainers of any problems. - -

-Usernames and passwords are expected to be URL-encoded (see RFC 1738 for details) - -

Support details

- -

-Refer to the Squid website at http://www.squid-cache.org. -You can submit problems or fixes using the Squid project's Bugzilla database. - - - diff --git a/src/auth/basic/SMB_LM/msntauth-v2.0.lsm b/src/auth/basic/SMB_LM/msntauth-v2.0.lsm deleted file mode 100644 index 91f2445b33..0000000000 --- a/src/auth/basic/SMB_LM/msntauth-v2.0.lsm +++ /dev/null @@ -1,13 +0,0 @@ -Begin3 -Title: msntauth -Version: 2.0 -Entered-date: 01SEP01 -Description: Squid web proxy NT domain authentication module -Keywords: Squid WWW proxy SMB NT domain authentication module source -Author: antonino@rager.com.au (Antonino Iannella) -Maintained-by: antonino@rager.com.au (Antonino Iannella) -Primary-site: sunsite.unc.edu /pub/Linux/system/network/misc - msntauth-v2.0.tgz -Original-site: http://members.tripod.com/stellarx -Copying-policy: GPL -End diff --git a/src/auth/basic/SMB_LM/msntauth.cc b/src/auth/basic/SMB_LM/msntauth.cc deleted file mode 100644 index dafb01d42d..0000000000 --- a/src/auth/basic/SMB_LM/msntauth.cc +++ /dev/null @@ -1,167 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* - * MSNT - Microsoft Windows NT domain squid authenticator module - * Version 2.0 by Stellar-X Pty Ltd, Antonino Iannella - * Sun Sep 2 14:39:53 CST 2001 - * - * Modified to act as a Squid authenticator module. - * Removed all Pike stuff. - * Returns OK for a successful authentication, or ERR upon error. - * - * Uses code from - - * Andrew Tridgell 1997 - * Richard Sharpe 1996 - * Bill Welliver 1999 - * Duane Wessels 2000 (wessels@squid-cache.org) - * - * Released under GNU Public License - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ -#include "squid.h" -#include "rfc1738.h" -#include "util.h" - -#include -#include -#include -#include -#include -#include - -#include "auth/basic/SMB_LM/msntauth.h" -#include "auth/basic/SMB_LM/valid.h" - -static char msntauth_version[] = "Msntauth v3.0.0 (C) 2 Sep 2001 Stellar-X Antonino Iannella.\nModified by the Squid HTTP Proxy team 2002-2014"; - -struct domaincontroller { - std::string domain; - std::string server; -}; -typedef std::vector domaincontrollers_t; -domaincontrollers_t domaincontrollers; - -static bool -validate_user(char *username, char *password) -{ - for (domaincontrollers_t::iterator dc = domaincontrollers.begin(); dc != domaincontrollers.end(); ++dc) { - //std::cerr << "testing against " << dc->server << std::endl; - const int rv = Valid_User(username, password, dc->server.c_str(), nullptr, dc->domain.c_str()); - //std::cerr << "check result: " << rv << std::endl; - if (rv == NTV_NO_ERROR) - return true; - } - return false; -} - -static char instructions[] = "Usage instructions: basic_nsnt_auth / [/ ...]"; -static void -display_usage_instructions() -{ - using std::endl; - std::cerr << msntauth_version << endl << instructions << endl << endl; -} - -// arguments: domain/server_name [domain/server_name ...] -int -main(int argc, char **argv) -{ - char username[256]; - char password[256]; - char wstr[256]; - int err = 0; - - openlog("basic_smb_lm_auth", LOG_PID, LOG_USER); - setbuf(stdout, nullptr); - - for (int j = 1; j < argc; ++j) { - std::string arg = argv[j]; - size_t pos=arg.find('/'); - if (arg.find('/',pos+1) != std::string::npos) { - std::cerr << "Error: can't understand domain controller specification '" - << arg << "'. Ignoring" << std::endl; - } - domaincontroller dc; - dc.domain = arg.substr(0,pos); - dc.server = arg.substr(pos+1); - if (dc.domain.length() == 0 || dc.server.length() == 0) { - std::cerr << "Error: invalid domain specification in '" << arg << - "'. Ignoring." << std::endl; - exit(EXIT_FAILURE); - } - domaincontrollers.push_back(dc); - } - if (domaincontrollers.empty()) { - display_usage_instructions(); - std::cerr << "Error: no domain controllers specified" << std::endl; - exit(EXIT_FAILURE); - } - - while (1) { - int n; - /* Read whole line from standard input. Terminate on break. */ - memset(wstr, '\0', sizeof(wstr)); - if (fgets(wstr, 255, stdin) == NULL) - break; - /* ignore this line if we didn't get the end-of-line marker */ - if (NULL == strchr(wstr, '\n')) { - err = 1; - continue; - } - if (err) { - syslog(LOG_WARNING, "oversized message"); - puts("ERR"); - err = 0; - continue; - } - - /* - * extract username and password. - */ - username[0] = '\0'; - password[0] = '\0'; - n = sscanf(wstr, "%s %[^\n]", username, password); - if (2 != n) { - puts("ERR"); - continue; - } - /* Check for invalid or blank entries */ - if ((username[0] == '\0') || (password[0] == '\0')) { - puts("ERR"); - continue; - } - - rfc1738_unescape(username); - rfc1738_unescape(password); - - if (validate_user(username, password)) { - puts("OK"); - } else { - syslog(LOG_INFO, "'%s' login failed", username); - puts("ERR"); - } - err = 0; - } - - return EXIT_SUCCESS; -} - diff --git a/src/auth/basic/SMB_LM/msntauth.h b/src/auth/basic/SMB_LM/msntauth.h deleted file mode 100644 index b4a496f906..0000000000 --- a/src/auth/basic/SMB_LM/msntauth.h +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#ifndef SQUID_SRC_AUTH_BASIC_SMB_LM_MSNTAUTH_H -#define SQUID_SRC_AUTH_BASIC_SMB_LM_MSNTAUTH_H - -extern int QueryServers(char *, char *); -extern void Check_forallowchange(void); - -#endif /* SQUID_SRC_AUTH_BASIC_SMB_LM_MSNTAUTH_H */ - diff --git a/src/auth/basic/SMB_LM/required.m4 b/src/auth/basic/SMB_LM/required.m4 deleted file mode 100755 index 30caa283b9..0000000000 --- a/src/auth/basic/SMB_LM/required.m4 +++ /dev/null @@ -1,14 +0,0 @@ -## Copyright (C) 1996-2023 The Squid Software Foundation and contributors -## -## Squid software is distributed under GPLv2+ license and includes -## contributions from numerous individuals and organizations. -## Please see the COPYING and CONTRIBUTORS files for details. -## - -# DONT build this helper on Windows -# DONT build this helper by default -AS_IF([test "x$auto_helpers" != "xyes"],[ - BUILD_HELPER="SMB_LM" - AC_CHECK_HEADERS([w32api/windows.h windows.h],[BUILD_HELPER=""]) - AS_IF([test "x$BUILD_HELPER" = "xSMB_LM"],[require_smblib="yes"]) -]) diff --git a/src/auth/basic/SMB_LM/valid.cc b/src/auth/basic/SMB_LM/valid.cc deleted file mode 100644 index 1aaaea918e..0000000000 --- a/src/auth/basic/SMB_LM/valid.cc +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#include "squid.h" -#include "auth/basic/SMB_LM/valid.h" -#include "smblib/smblib.h" - -#if HAVE_SYS_TYPES_H -#include -#endif -#if HAVE_UNISTD_H -#include -#endif -#if HAVE_SYSLOG_H -#include -#endif - -// BACKUP is unused -int -Valid_User(char *USERNAME, char *PASSWORD, const char *SERVER, char *, const char *DOMAIN) -{ - const char *supportedDialects[] = {"PC NETWORK PROGRAM 1.0", - "MICROSOFT NETWORKS 1.03", - "MICROSOFT NETWORKS 3.0", - "LANMAN1.0", - "LM1.2X002", - "Samba", - "NT LM 0.12", - "NT LANMAN 1.0", - NULL - }; - SMB_Handle_Type con; - - SMB_Init(); - con = SMB_Connect_Server(nullptr, SERVER, DOMAIN); - if (con == NULL) { - return (NTV_SERVER_ERROR); - } - if (SMB_Negotiate(con, supportedDialects) < 0) { /* An error */ - SMB_Discon(con, 0); - return (NTV_PROTOCOL_ERROR); - } - if (SMB_Logon_Server(con, USERNAME, PASSWORD, nullptr, 0) < 0) { - SMB_Discon(con, 0); - return (NTV_LOGON_ERROR); - } - SMB_Discon(con, 0); - return (NTV_NO_ERROR); -} - diff --git a/src/auth/basic/SMB_LM/valid.h b/src/auth/basic/SMB_LM/valid.h deleted file mode 100644 index bfdb009291..0000000000 --- a/src/auth/basic/SMB_LM/valid.h +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#ifndef SQUID_SRC_AUTH_BASIC_SMB_LM_VALID_H -#define SQUID_SRC_AUTH_BASIC_SMB_LM_VALID_H -/* SMB User verification function */ - -#define NTV_NO_ERROR 0 -#define NTV_SERVER_ERROR 1 -#define NTV_PROTOCOL_ERROR 2 -#define NTV_LOGON_ERROR 3 - -int Valid_User(char *USERNAME, char *PASSWORD, const char *SERVER, char *BACKUP, const char *DOMAIN); - -#endif /* SQUID_SRC_AUTH_BASIC_SMB_LM_VALID_H */ - diff --git a/src/auth/basic/helpers.m4 b/src/auth/basic/helpers.m4 index 8a13689732..df1585cfc3 100644 --- a/src/auth/basic/helpers.m4 +++ b/src/auth/basic/helpers.m4 @@ -18,7 +18,6 @@ AS_IF([test "x$enable_auth" != "xno"],[ SQUID_CHECK_HELPER([RADIUS],[auth/basic]) SQUID_CHECK_HELPER([SASL],[auth/basic]) SQUID_CHECK_HELPER([SMB],[auth/basic]) - SQUID_CHECK_HELPER([SMB_LM],[auth/basic]) SQUID_CHECK_HELPER([SSPI],[auth/basic]) SQUID_CHECK_HELPER([fake],[auth/basic]) SQUID_CHECK_HELPER([getpwnam],[auth/basic]) -- 2.47.2

-MSNT Auth v3.0.0 -Squid web proxy NT authentication module -Modified by the Squid HTTP Proxy team -Original release by Antonino Iannella, Stellar-X Pty Ltd -