rack-ntlm icon indicating copy to clipboard operation
rack-ntlm copied to clipboard

Published 20 hours ago verified publisher icon lukefx

No Actual Authentication?

Open Wardrop opened this issue 12 years ago • 11 comments

By the looks of it, all this code is doing is getting the username out of the NTLM request and verifying it's existance in an LDAP directory. There is no actual authentication - anyone can spoof a username over ldap, in fact any browser that prompts for a username will allow a user to "authenticate" as anyone they want.

Am I missing something?

Wardrop avatar Mar 16 '12 05:03 Wardrop

Authorization is still very useful.

skull-squadron avatar Apr 06 '12 08:04 skull-squadron

Confirming the issue. No authentication is performed. All this gem does is confirming that the user (who the client claims to be) exists in AD.

@Wardrop Were you able to find some other gem to perform single sign on with active directory users?

@steakknife This gem doesn't provide any kind of authorization. Neither in theory nor in practice. I think you got this term mixed up.

amw avatar Apr 26 '12 15:04 amw

@amw No, I didn't find any other gem that performs actual authentication. I decided to go down the path of letting Apache handle NTLM authentication before deciding to post-pone implementing single sign-on for the project I was working on.

Wardrop avatar Apr 26 '12 23:04 Wardrop

Just for information I got a decent setup in which the whole authentication is handled by IIS. Adapting from these instructions I got IIS to act as a reverse proxy for Rails server (thin, webrick, whatever…) on a *nix machine (a Mac with Pow! in development).

Here's the iirf.ini file that I used for development:

# NOTE: This file should be placed in the IIS document root for the application


# Put the following linw in windows etc/hosts file
# 
#   172.18.27.252 intranet.dev
# 

StatusInquiry ON
RewriteLogLevel 3
RewriteLog ..\..\TEMP\iirf
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^.*$ - [L]
ProxyPass ^/(.*)$ http://intranet.dev:80/$1
ProxyPassReverse / http://intranet.dev/

# Disable HTTPS
# 
#   RewriteCond %{HTTPS} on
#   RewriteHeader X_FORWARDED_PROTO ^$ https
#

With this setup you can rely on the fact that the authentication is performed by IIS and you only get authenticated request containing a Type-1 ntlm message (or Type-3, I'm not completely sure about this). I also removed rack-ntlm and kept only net-ntlm and used it to extract the username this way:

require 'kconv'
require 'net/ntlm'

if /^(NTLM|Negotiate) (.+)/ =~ env["HTTP_AUTHORIZATION"]
  encoded_message = $2
  message = Net::NTLM::Message.decode64(encoded_message)
  user = Net::NTLM::decode_utf16le(message.user)
end

elia avatar May 08 '12 08:05 elia

+1 awesome for followup. :cake:

skull-squadron avatar May 08 '12 11:05 skull-squadron

@lukefx can we close this?

elia avatar May 11 '12 10:05 elia

I don't think we should. It should stay wide open as a warning and guide to other developers. I would go as far as suggesting to modify the project's README to say that this gem is broken and that your application will be unsecured if you decide to use it in production.

amw avatar May 11 '12 10:05 amw

@amw you right, fixing the README is the real issue.

elia avatar May 11 '12 11:05 elia

:-)

Well, that's not what I meant, but if no one is going to commit a real fix then it's the least we can do.

amw avatar May 11 '12 11:05 amw

ok guys, sorry for the long waited response. I'm full time on a project but I've created a branch and I'm trying to fix the authentication.

lukefx avatar May 11 '12 14:05 lukefx

Hi!

Years after, is there still a way to do authentication in this way?

rhuanbarreto avatar May 23 '19 12:05 rhuanbarreto