[jcifs] authentication session concurrency
eglass1 at comcast.net
eglass1 at comcast.net
Tue Oct 14 01:51:39 EST 2003
>
> one question that puzzles me is can jcifs be used to authenticate many
> users concurrently from the same authentication server (with a single
> threaded authentication proxy)? in the NTLM handshake a challenge is
> fetched from the Windows server and used to create a NTLM Type2Message.
> doesn't the server need the original challenge when authenticating
> clients response to the challenge message? how is state maintained
> between these two phases if two or more authentication sessions are
> being interleaved?
>
We do a certain amount of "kung-fu" here. A single connection is maintained to
the SMB server; when the connection is initially made (in a NegProt handshake),
the SMB server provides a challenge (in the NegProt response). This is used as
the challenge in the Type 2 message for NTLM authentications; the LM and NTLM
responses are extracted from the corresponding Type 3 messages, and used in
session setup requests (which are multiplexed over the single connection back
to the server). When the connection has been inactive for a period of time,
it is dropped. The next request that comes in initiates a reconnect to the
SMB server.
There is (arguably) a replay hole in this design; since all authentications
over the SMB connection use the same challenge, a man-in-the-middle could
sniff the LM/NTLM responses and use them to his nefarious advantage. I say
"arguably" because:
a) After the timeout period elapses, the connection is closed and the challenge
becomes invalid.
b) Even in a scenario which doesn't reuse the challenge in this manner,
a m.i.t.m could hijack a given response and do the same thing (they just
wouldn't be able to repeat it later without hijacking another response).
Eric
More information about the jcifs
mailing list