[PLUG] Linux, Active Directory, and Samba

Carlos Konstanski ckonstanski at pippiandcarlos.com
Thu May 31 22:42:14 UTC 2007 

> Thanks Carlos,
>
> I've implemented this solution using PHP and I'm wondering if this is
> secure.  Your solution depends on making sure the user agent sends the
> windows authorization information with the http request.  If the user uses
> mozilla or has the Logon option turned off of Internet Explorer, they will
> be prompted for a username/password.  At this point they can enter any
> information they want and it will grab whatever they input and store it.
>
> Am I missing something?  Do I perhaps need something in an .htaccess file
> for the directory I'm wishing to authenticate?

You're not missing anything.  You should get the popup authentication
dialog box in non-IE browsers.  A user could enter anything they want in
the box.  Whether this is acceptable depends upon your level of security
need.  In an office like mine, where most people have their passwords
taped to the bottom of their keyboards, and managers have their
secretaries log onto the network and into ERP as them to do their work,
it's not such a big deal.  My company decided that they want to be secure
from external threats, but we trust our employees well enough.  The only
info we hide from employees is payroll information.  We're located in
Hailey, ID, which is a very honest place.  I haven't used my bike lock
since moving here from Eugene, and I don't even know if I am in possession
of a key for my house!  Security paranoia is not my strong suit.

You could always hand the username/password to an ASP or .NET script
running on an IIS server.  This would let you use native Windows tools to
validate the username/password against AD.  This is not as good as
kerberos, of course, because there is no ticket, and no 5 minute window. 
If you do this, you don't want to pass the username and password in the
request.  I always insert the username/password into a table, using the
sessionid as a unique key.  I pass only the sessionid to the next page. 
The next page looks up the username/password from the table with this key.
 This makes it impossible to find out a username/password by sniffing the
web traffic.

If your enterprise has an authenticating web proxy, the user will have to
use valid credentials to authenticate to it when they make their first
page request.  This will set the NTLM header with valid data.  By the time
they get to your page, they will have already been through this step, and
the NTLM header will be valid.

Even in IE, a hacker could forge the NTLM header.  As you can see
yourself, it is not encrypted, merely obfuscated.  If this is not secure
enough, do not use my method.

More information about the PLUG mailing list