stub-ntlm-helper 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +2 -0
- data/Gemfile +3 -0
- data/LICENSE +13 -0
- data/README.md +13 -0
- data/Rakefile +5 -0
- data/bin/stub-ntlm-helper +40 -0
- data/lib/stub-ntlm-helper.rb +114 -0
- data/spec/challenge_spec.rb +31 -0
- data/stub-ntlm-helper.gemspec +29 -0
- metadata +127 -0
data/.gitignore
ADDED
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
Copyright 2011 ThoughtWorks, Inc.
|
2
|
+
|
3
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
you may not use this file except in compliance with the License.
|
5
|
+
You may obtain a copy of the License at
|
6
|
+
|
7
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
|
9
|
+
Unless required by applicable law or agreed to in writing, software
|
10
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
See the License for the specific language governing permissions and
|
13
|
+
limitations under the License.
|
data/README.md
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
# stub-ntlm-helper
|
2
|
+
|
3
|
+
## Storytime
|
4
|
+
|
5
|
+
Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
|
6
|
+
|
7
|
+
I feel for you.
|
8
|
+
|
9
|
+
Sometimes, passwords and security and Kerberos just don't matter.
|
10
|
+
|
11
|
+
## What is this?
|
12
|
+
|
13
|
+
This is a stub `ntlm_helper`. It **always** authenticates.
|
data/Rakefile
ADDED
@@ -0,0 +1,40 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
|
4
|
+
|
5
|
+
require 'stub-ntlm-helper'
|
6
|
+
|
7
|
+
YR = /YR/
|
8
|
+
KK = /KK ([0-9A-Za-z=+\/]+)$/
|
9
|
+
|
10
|
+
$<.each do |line|
|
11
|
+
if line =~ YR
|
12
|
+
challenge = NTLM::Challenge.new
|
13
|
+
|
14
|
+
[
|
15
|
+
:negotiate_ntlm,
|
16
|
+
:negotiate_extended_security,
|
17
|
+
|
18
|
+
# I wish so much I could say :negotiate_unicode here.
|
19
|
+
#
|
20
|
+
# But, Windows uses UCS-8LE and third-party clients (curl, Firefox,
|
21
|
+
# etc.) use UTF-8. And there's no reliable way to determine which
|
22
|
+
# encoding was used. So, instead, we default to OEM, which is close
|
23
|
+
# enough to ASCII, which is close enough to UTF-8, and just pass
|
24
|
+
# through the value directly to Apache/Squid/whoever.
|
25
|
+
#
|
26
|
+
# Let them deal with codepage compatibility. They brought it on
|
27
|
+
# themselves.
|
28
|
+
:negotiate_oem,
|
29
|
+
].each { |f| challenge.flags[f] = 1 }
|
30
|
+
|
31
|
+
puts "TT " + challenge.encode
|
32
|
+
elsif line =~ KK
|
33
|
+
authenticate = NTLM::Authenticate.decode $1
|
34
|
+
puts "AF #{authenticate.username}"
|
35
|
+
else
|
36
|
+
puts "BH #{line}"
|
37
|
+
end
|
38
|
+
|
39
|
+
$stdout.flush
|
40
|
+
end
|
@@ -0,0 +1,114 @@
|
|
1
|
+
require 'base64'
|
2
|
+
require 'bindata'
|
3
|
+
|
4
|
+
# With help from:
|
5
|
+
#
|
6
|
+
# ruby-ntlm: https://github.com/macks/ruby-ntlm/blob/master/lib/ntlm/message.rb
|
7
|
+
# davenport: http://davenport.sourceforge.net/ntlm.html
|
8
|
+
# squid: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
|
9
|
+
|
10
|
+
module NTLM
|
11
|
+
SSP_SIGNATURE = 'NTLMSSP'
|
12
|
+
|
13
|
+
module Serializer
|
14
|
+
module ClassMethods
|
15
|
+
def decode b64
|
16
|
+
self.new.tap { |r| r.read Base64.decode64(b64) }
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.included klass
|
21
|
+
klass.extend ClassMethods
|
22
|
+
end
|
23
|
+
|
24
|
+
def encode
|
25
|
+
Base64.encode64(to_binary_s).tr "\n", ""
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
class SecurityBuffer < BinData::Record
|
30
|
+
endian :little
|
31
|
+
|
32
|
+
int16 :uzunluk # Length
|
33
|
+
int16 :reserved
|
34
|
+
int32 :siktir # "Offset"
|
35
|
+
|
36
|
+
def value
|
37
|
+
parent.to_binary_s[siktir ... (siktir + uzunluk)]
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
class Flags < BinData::Record
|
42
|
+
# D
|
43
|
+
bit1 :negotiate_lm_key # LAN Manager session key computation
|
44
|
+
bit1 :negotiate_datagram # Connectionless authentication
|
45
|
+
bit1 :negotiate_seal # Session key negotiation for message confidentiality
|
46
|
+
bit1 :negotiate_sign # Session key negotiation for message signatures
|
47
|
+
bit1 :unused10
|
48
|
+
bit1 :request_target # TargetName is supplied in challenge message
|
49
|
+
bit1 :negotiate_oem # OEM character set encoding
|
50
|
+
bit1 :negotiate_unicode # Unicode character set encoding
|
51
|
+
|
52
|
+
# C
|
53
|
+
bit1 :negotiate_always_sign
|
54
|
+
bit1 :unused7
|
55
|
+
bit1 :oem_workstation_supplied # Workstations field is present
|
56
|
+
bit1 :oem_domain_supplied # Domain field is present
|
57
|
+
bit1 :anonymous # Anonymous connection
|
58
|
+
bit1 :unused8
|
59
|
+
bit1 :negotiate_ntlm # NTLM v1 protocol
|
60
|
+
bit1 :unused9
|
61
|
+
|
62
|
+
# B
|
63
|
+
bit1 :negotiate_target_info # Requests TargetInfo
|
64
|
+
bit1 :request_non_nt_session_key # LM session key is used
|
65
|
+
bit1 :unused5
|
66
|
+
bit1 :negotiate_identify # Requests identify level token
|
67
|
+
bit1 :negotiate_extended_security # NTLM v2 session security
|
68
|
+
bit1 :unused6
|
69
|
+
bit1 :target_type_server # TargetName is server name
|
70
|
+
bit1 :target_type_domain # TargetName is domain name
|
71
|
+
|
72
|
+
# A
|
73
|
+
bit1 :negotiate_56 # 56bit encryption
|
74
|
+
bit1 :negotiate_key_exch # Explicit key exchange
|
75
|
+
bit1 :negotiate_128 # 128bit encryption
|
76
|
+
bit1 :unused1
|
77
|
+
bit1 :unused2
|
78
|
+
bit1 :unused3
|
79
|
+
bit1 :negotiate_version # Version field is present
|
80
|
+
bit1 :unused4
|
81
|
+
end
|
82
|
+
|
83
|
+
class Challenge < BinData::Record
|
84
|
+
include Serializer
|
85
|
+
|
86
|
+
endian :little
|
87
|
+
|
88
|
+
stringz :signature, :value => SSP_SIGNATURE, :check_value => SSP_SIGNATURE
|
89
|
+
int32 :message_type, :value => 2, :check_value => 2
|
90
|
+
security_buffer :target_name
|
91
|
+
flags :flags
|
92
|
+
string :challenge, :length => 8
|
93
|
+
array :data, :type => :int8, :read_until => :eof
|
94
|
+
end
|
95
|
+
|
96
|
+
class Authenticate < BinData::Record
|
97
|
+
include Serializer
|
98
|
+
|
99
|
+
endian :little
|
100
|
+
|
101
|
+
stringz :signature, :check_value => SSP_SIGNATURE
|
102
|
+
int32 :message_type, :check_value => 3
|
103
|
+
security_buffer :lm_response
|
104
|
+
security_buffer :ntlm_response
|
105
|
+
security_buffer :target_name
|
106
|
+
security_buffer :user_name
|
107
|
+
security_buffer :workstation_name
|
108
|
+
array :data, :type => :int8, :read_until => :eof
|
109
|
+
|
110
|
+
def username
|
111
|
+
"#{target_name.value}+#{user_name.value}"
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
require 'stub-ntlm-helper'
|
2
|
+
|
3
|
+
describe NTLM::Challenge do
|
4
|
+
context "a minimal type 2 message" do
|
5
|
+
let(:minimal_type_2_message) { 'TlRMTVNTUAACAAAAAAAAAAAAAAACAgAAASNFZ4mrze8=' }
|
6
|
+
|
7
|
+
subject { NTLM::Challenge.decode minimal_type_2_message }
|
8
|
+
|
9
|
+
[:negotiate_ntlm, :negotiate_oem].each do |f|
|
10
|
+
it "#{f} flag should be true" do
|
11
|
+
subject.flags[f].should == 1
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
[
|
16
|
+
:negotiate_lm_key, :negotiate_datagram, :negotiate_seal,
|
17
|
+
:negotiate_sign, :unused10, :request_target, :negotiate_unicode,
|
18
|
+
:negotiate_always_sign, :unused7, :oem_workstation_supplied,
|
19
|
+
:oem_domain_supplied, :anonymous, :unused8, :unused9,
|
20
|
+
:negotiate_target_info, :request_non_nt_session_key, :unused5,
|
21
|
+
:negotiate_identify, :negotiate_extended_security, :unused6,
|
22
|
+
:target_type_server, :target_type_domain, :negotiate_56,
|
23
|
+
:negotiate_key_exch, :negotiate_128, :unused1, :unused2, :unused3,
|
24
|
+
:negotiate_version, :unused4
|
25
|
+
].each do |f|
|
26
|
+
it "#{f} flag should be false" do
|
27
|
+
subject.flags[f].should == 0
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
Gem::Specification.new do |s|
|
3
|
+
s.name = 'stub-ntlm-helper'
|
4
|
+
s.version = '0.0.1'
|
5
|
+
s.platform = Gem::Platform::RUBY
|
6
|
+
s.authors = ['Scott Robinson', 'Mustafa Sezgin']
|
7
|
+
s.email = ['sr@thoughtworks.com', 'msezgin@thoughtworks.com']
|
8
|
+
s.summary = 'This is a stub ntlm_helper. It always authenticates.'
|
9
|
+
s.description = <<-EOF
|
10
|
+
Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
|
11
|
+
|
12
|
+
I feel for you.
|
13
|
+
|
14
|
+
Sometimes, passwords and security and Kerberos just don't matter.
|
15
|
+
|
16
|
+
This is a stub ntlm_helper. It always authenticates.
|
17
|
+
EOF
|
18
|
+
s.homepage = 'https://github.com/offshore-safety/stub-ntlm-helper'
|
19
|
+
|
20
|
+
s.files = `git ls-files`.split "\n"
|
21
|
+
s.test_files = `git ls-files -- {test,spec,features}/*`.split "\n"
|
22
|
+
s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
|
23
|
+
s.require_paths = ['lib']
|
24
|
+
|
25
|
+
s.add_development_dependency 'rspec'
|
26
|
+
s.add_development_dependency 'rake'
|
27
|
+
|
28
|
+
s.add_dependency 'bindata'
|
29
|
+
end
|
metadata
ADDED
@@ -0,0 +1,127 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: stub-ntlm-helper
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
hash: 29
|
5
|
+
prerelease:
|
6
|
+
segments:
|
7
|
+
- 0
|
8
|
+
- 0
|
9
|
+
- 1
|
10
|
+
version: 0.0.1
|
11
|
+
platform: ruby
|
12
|
+
authors:
|
13
|
+
- Scott Robinson
|
14
|
+
- Mustafa Sezgin
|
15
|
+
autorequire:
|
16
|
+
bindir: bin
|
17
|
+
cert_chain: []
|
18
|
+
|
19
|
+
date: 2011-11-22 00:00:00 +11:00
|
20
|
+
default_executable:
|
21
|
+
dependencies:
|
22
|
+
- !ruby/object:Gem::Dependency
|
23
|
+
name: rspec
|
24
|
+
prerelease: false
|
25
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
26
|
+
none: false
|
27
|
+
requirements:
|
28
|
+
- - ">="
|
29
|
+
- !ruby/object:Gem::Version
|
30
|
+
hash: 3
|
31
|
+
segments:
|
32
|
+
- 0
|
33
|
+
version: "0"
|
34
|
+
type: :development
|
35
|
+
version_requirements: *id001
|
36
|
+
- !ruby/object:Gem::Dependency
|
37
|
+
name: rake
|
38
|
+
prerelease: false
|
39
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
40
|
+
none: false
|
41
|
+
requirements:
|
42
|
+
- - ">="
|
43
|
+
- !ruby/object:Gem::Version
|
44
|
+
hash: 3
|
45
|
+
segments:
|
46
|
+
- 0
|
47
|
+
version: "0"
|
48
|
+
type: :development
|
49
|
+
version_requirements: *id002
|
50
|
+
- !ruby/object:Gem::Dependency
|
51
|
+
name: bindata
|
52
|
+
prerelease: false
|
53
|
+
requirement: &id003 !ruby/object:Gem::Requirement
|
54
|
+
none: false
|
55
|
+
requirements:
|
56
|
+
- - ">="
|
57
|
+
- !ruby/object:Gem::Version
|
58
|
+
hash: 3
|
59
|
+
segments:
|
60
|
+
- 0
|
61
|
+
version: "0"
|
62
|
+
type: :runtime
|
63
|
+
version_requirements: *id003
|
64
|
+
description: |
|
65
|
+
Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
|
66
|
+
|
67
|
+
I feel for you.
|
68
|
+
|
69
|
+
Sometimes, passwords and security and Kerberos just don't matter.
|
70
|
+
|
71
|
+
This is a stub ntlm_helper. It always authenticates.
|
72
|
+
|
73
|
+
email:
|
74
|
+
- sr@thoughtworks.com
|
75
|
+
- msezgin@thoughtworks.com
|
76
|
+
executables:
|
77
|
+
- stub-ntlm-helper
|
78
|
+
extensions: []
|
79
|
+
|
80
|
+
extra_rdoc_files: []
|
81
|
+
|
82
|
+
files:
|
83
|
+
- .gitignore
|
84
|
+
- Gemfile
|
85
|
+
- LICENSE
|
86
|
+
- README.md
|
87
|
+
- Rakefile
|
88
|
+
- bin/stub-ntlm-helper
|
89
|
+
- lib/stub-ntlm-helper.rb
|
90
|
+
- spec/challenge_spec.rb
|
91
|
+
- stub-ntlm-helper.gemspec
|
92
|
+
has_rdoc: true
|
93
|
+
homepage: https://github.com/offshore-safety/stub-ntlm-helper
|
94
|
+
licenses: []
|
95
|
+
|
96
|
+
post_install_message:
|
97
|
+
rdoc_options: []
|
98
|
+
|
99
|
+
require_paths:
|
100
|
+
- lib
|
101
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
102
|
+
none: false
|
103
|
+
requirements:
|
104
|
+
- - ">="
|
105
|
+
- !ruby/object:Gem::Version
|
106
|
+
hash: 3
|
107
|
+
segments:
|
108
|
+
- 0
|
109
|
+
version: "0"
|
110
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
111
|
+
none: false
|
112
|
+
requirements:
|
113
|
+
- - ">="
|
114
|
+
- !ruby/object:Gem::Version
|
115
|
+
hash: 3
|
116
|
+
segments:
|
117
|
+
- 0
|
118
|
+
version: "0"
|
119
|
+
requirements: []
|
120
|
+
|
121
|
+
rubyforge_project:
|
122
|
+
rubygems_version: 1.6.2
|
123
|
+
signing_key:
|
124
|
+
specification_version: 3
|
125
|
+
summary: This is a stub ntlm_helper. It always authenticates.
|
126
|
+
test_files:
|
127
|
+
- spec/challenge_spec.rb
|