[jcifs] authentication session concurrency

eglass1 at comcast.net eglass1 at comcast.net
Tue Oct 14 01:51:39 EST 2003

> one question that puzzles me is can jcifs be used to authenticate many
> users concurrently from the same authentication server (with a single
> threaded authentication proxy)? in the NTLM handshake a challenge is
> fetched from the Windows server and used to create a NTLM Type2Message.
> doesn't the server need the original challenge when authenticating

> clients response to the challenge message? how is state maintained
> between these two phases if two or more authentication sessions are
> being interleaved?

We do a certain amount of "kung-fu" here.  A single connection is maintained to
the SMB server; when the connection is initially made (in a NegProt handshake),
the SMB server provides a challenge (in the NegProt response).  This is used as
the challenge in the Type 2 message for NTLM authentications; the LM and NTLM
responses are extracted from the corresponding Type 3 messages, and used in
session setup requests (which are multiplexed over the single connection back
to the server).  When the connection has been inactive for a period of time,
it is dropped.  The next request that comes in initiates a reconnect to the
SMB server.

There is (arguably) a replay hole in this design; since all authentications
over the SMB connection use the same challenge, a man-in-the-middle could
sniff the LM/NTLM responses and use them to his nefarious advantage.  I say
"arguably" because:

a) After the timeout period elapses, the connection is closed and the challenge
becomes invalid.

b) Even in a scenario which doesn't reuse the challenge in this manner,
a m.i.t.m could hijack a given response and do the same thing (they just
wouldn't be able to repeat it later without hijacking another response).


More information about the jcifs mailing list