stub-ntlm-helper 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +2 -0
- data/Gemfile +3 -0
- data/LICENSE +13 -0
- data/README.md +13 -0
- data/Rakefile +5 -0
- data/bin/stub-ntlm-helper +40 -0
- data/lib/stub-ntlm-helper.rb +114 -0
- data/spec/challenge_spec.rb +31 -0
- data/stub-ntlm-helper.gemspec +29 -0
- metadata +127 -0
data/.gitignore
ADDED
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
Copyright 2011 ThoughtWorks, Inc.
|
2
|
+
|
3
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
4
|
+
you may not use this file except in compliance with the License.
|
5
|
+
You may obtain a copy of the License at
|
6
|
+
|
7
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
8
|
+
|
9
|
+
Unless required by applicable law or agreed to in writing, software
|
10
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
11
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
12
|
+
See the License for the specific language governing permissions and
|
13
|
+
limitations under the License.
|
data/README.md
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
# stub-ntlm-helper
|
2
|
+
|
3
|
+
## Storytime
|
4
|
+
|
5
|
+
Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
|
6
|
+
|
7
|
+
I feel for you.
|
8
|
+
|
9
|
+
Sometimes, passwords and security and Kerberos just don't matter.
|
10
|
+
|
11
|
+
## What is this?
|
12
|
+
|
13
|
+
This is a stub `ntlm_helper`. It **always** authenticates.
|
data/Rakefile
ADDED
@@ -0,0 +1,40 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
|
4
|
+
|
5
|
+
require 'stub-ntlm-helper'
|
6
|
+
|
7
|
+
YR = /YR/
|
8
|
+
KK = /KK ([0-9A-Za-z=+\/]+)$/
|
9
|
+
|
10
|
+
$<.each do |line|
|
11
|
+
if line =~ YR
|
12
|
+
challenge = NTLM::Challenge.new
|
13
|
+
|
14
|
+
[
|
15
|
+
:negotiate_ntlm,
|
16
|
+
:negotiate_extended_security,
|
17
|
+
|
18
|
+
# I wish so much I could say :negotiate_unicode here.
|
19
|
+
#
|
20
|
+
# But, Windows uses UCS-8LE and third-party clients (curl, Firefox,
|
21
|
+
# etc.) use UTF-8. And there's no reliable way to determine which
|
22
|
+
# encoding was used. So, instead, we default to OEM, which is close
|
23
|
+
# enough to ASCII, which is close enough to UTF-8, and just pass
|
24
|
+
# through the value directly to Apache/Squid/whoever.
|
25
|
+
#
|
26
|
+
# Let them deal with codepage compatibility. They brought it on
|
27
|
+
# themselves.
|
28
|
+
:negotiate_oem,
|
29
|
+
].each { |f| challenge.flags[f] = 1 }
|
30
|
+
|
31
|
+
puts "TT " + challenge.encode
|
32
|
+
elsif line =~ KK
|
33
|
+
authenticate = NTLM::Authenticate.decode $1
|
34
|
+
puts "AF #{authenticate.username}"
|
35
|
+
else
|
36
|
+
puts "BH #{line}"
|
37
|
+
end
|
38
|
+
|
39
|
+
$stdout.flush
|
40
|
+
end
|
@@ -0,0 +1,114 @@
|
|
1
|
+
require 'base64'
|
2
|
+
require 'bindata'
|
3
|
+
|
4
|
+
# With help from:
|
5
|
+
#
|
6
|
+
# ruby-ntlm: https://github.com/macks/ruby-ntlm/blob/master/lib/ntlm/message.rb
|
7
|
+
# davenport: http://davenport.sourceforge.net/ntlm.html
|
8
|
+
# squid: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
|
9
|
+
|
10
|
+
module NTLM
|
11
|
+
SSP_SIGNATURE = 'NTLMSSP'
|
12
|
+
|
13
|
+
module Serializer
|
14
|
+
module ClassMethods
|
15
|
+
def decode b64
|
16
|
+
self.new.tap { |r| r.read Base64.decode64(b64) }
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.included klass
|
21
|
+
klass.extend ClassMethods
|
22
|
+
end
|
23
|
+
|
24
|
+
def encode
|
25
|
+
Base64.encode64(to_binary_s).tr "\n", ""
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
class SecurityBuffer < BinData::Record
|
30
|
+
endian :little
|
31
|
+
|
32
|
+
int16 :uzunluk # Length
|
33
|
+
int16 :reserved
|
34
|
+
int32 :siktir # "Offset"
|
35
|
+
|
36
|
+
def value
|
37
|
+
parent.to_binary_s[siktir ... (siktir + uzunluk)]
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
class Flags < BinData::Record
|
42
|
+
# D
|
43
|
+
bit1 :negotiate_lm_key # LAN Manager session key computation
|
44
|
+
bit1 :negotiate_datagram # Connectionless authentication
|
45
|
+
bit1 :negotiate_seal # Session key negotiation for message confidentiality
|
46
|
+
bit1 :negotiate_sign # Session key negotiation for message signatures
|
47
|
+
bit1 :unused10
|
48
|
+
bit1 :request_target # TargetName is supplied in challenge message
|
49
|
+
bit1 :negotiate_oem # OEM character set encoding
|
50
|
+
bit1 :negotiate_unicode # Unicode character set encoding
|
51
|
+
|
52
|
+
# C
|
53
|
+
bit1 :negotiate_always_sign
|
54
|
+
bit1 :unused7
|
55
|
+
bit1 :oem_workstation_supplied # Workstations field is present
|
56
|
+
bit1 :oem_domain_supplied # Domain field is present
|
57
|
+
bit1 :anonymous # Anonymous connection
|
58
|
+
bit1 :unused8
|
59
|
+
bit1 :negotiate_ntlm # NTLM v1 protocol
|
60
|
+
bit1 :unused9
|
61
|
+
|
62
|
+
# B
|
63
|
+
bit1 :negotiate_target_info # Requests TargetInfo
|
64
|
+
bit1 :request_non_nt_session_key # LM session key is used
|
65
|
+
bit1 :unused5
|
66
|
+
bit1 :negotiate_identify # Requests identify level token
|
67
|
+
bit1 :negotiate_extended_security # NTLM v2 session security
|
68
|
+
bit1 :unused6
|
69
|
+
bit1 :target_type_server # TargetName is server name
|
70
|
+
bit1 :target_type_domain # TargetName is domain name
|
71
|
+
|
72
|
+
# A
|
73
|
+
bit1 :negotiate_56 # 56bit encryption
|
74
|
+
bit1 :negotiate_key_exch # Explicit key exchange
|
75
|
+
bit1 :negotiate_128 # 128bit encryption
|
76
|
+
bit1 :unused1
|
77
|
+
bit1 :unused2
|
78
|
+
bit1 :unused3
|
79
|
+
bit1 :negotiate_version # Version field is present
|
80
|
+
bit1 :unused4
|
81
|
+
end
|
82
|
+
|
83
|
+
class Challenge < BinData::Record
|
84
|
+
include Serializer
|
85
|
+
|
86
|
+
endian :little
|
87
|
+
|
88
|
+
stringz :signature, :value => SSP_SIGNATURE, :check_value => SSP_SIGNATURE
|
89
|
+
int32 :message_type, :value => 2, :check_value => 2
|
90
|
+
security_buffer :target_name
|
91
|
+
flags :flags
|
92
|
+
string :challenge, :length => 8
|
93
|
+
array :data, :type => :int8, :read_until => :eof
|
94
|
+
end
|
95
|
+
|
96
|
+
class Authenticate < BinData::Record
|
97
|
+
include Serializer
|
98
|
+
|
99
|
+
endian :little
|
100
|
+
|
101
|
+
stringz :signature, :check_value => SSP_SIGNATURE
|
102
|
+
int32 :message_type, :check_value => 3
|
103
|
+
security_buffer :lm_response
|
104
|
+
security_buffer :ntlm_response
|
105
|
+
security_buffer :target_name
|
106
|
+
security_buffer :user_name
|
107
|
+
security_buffer :workstation_name
|
108
|
+
array :data, :type => :int8, :read_until => :eof
|
109
|
+
|
110
|
+
def username
|
111
|
+
"#{target_name.value}+#{user_name.value}"
|
112
|
+
end
|
113
|
+
end
|
114
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
require 'stub-ntlm-helper'
|
2
|
+
|
3
|
+
describe NTLM::Challenge do
|
4
|
+
context "a minimal type 2 message" do
|
5
|
+
let(:minimal_type_2_message) { 'TlRMTVNTUAACAAAAAAAAAAAAAAACAgAAASNFZ4mrze8=' }
|
6
|
+
|
7
|
+
subject { NTLM::Challenge.decode minimal_type_2_message }
|
8
|
+
|
9
|
+
[:negotiate_ntlm, :negotiate_oem].each do |f|
|
10
|
+
it "#{f} flag should be true" do
|
11
|
+
subject.flags[f].should == 1
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
[
|
16
|
+
:negotiate_lm_key, :negotiate_datagram, :negotiate_seal,
|
17
|
+
:negotiate_sign, :unused10, :request_target, :negotiate_unicode,
|
18
|
+
:negotiate_always_sign, :unused7, :oem_workstation_supplied,
|
19
|
+
:oem_domain_supplied, :anonymous, :unused8, :unused9,
|
20
|
+
:negotiate_target_info, :request_non_nt_session_key, :unused5,
|
21
|
+
:negotiate_identify, :negotiate_extended_security, :unused6,
|
22
|
+
:target_type_server, :target_type_domain, :negotiate_56,
|
23
|
+
:negotiate_key_exch, :negotiate_128, :unused1, :unused2, :unused3,
|
24
|
+
:negotiate_version, :unused4
|
25
|
+
].each do |f|
|
26
|
+
it "#{f} flag should be false" do
|
27
|
+
subject.flags[f].should == 0
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
Gem::Specification.new do |s|
|
3
|
+
s.name = 'stub-ntlm-helper'
|
4
|
+
s.version = '0.0.1'
|
5
|
+
s.platform = Gem::Platform::RUBY
|
6
|
+
s.authors = ['Scott Robinson', 'Mustafa Sezgin']
|
7
|
+
s.email = ['sr@thoughtworks.com', 'msezgin@thoughtworks.com']
|
8
|
+
s.summary = 'This is a stub ntlm_helper. It always authenticates.'
|
9
|
+
s.description = <<-EOF
|
10
|
+
Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
|
11
|
+
|
12
|
+
I feel for you.
|
13
|
+
|
14
|
+
Sometimes, passwords and security and Kerberos just don't matter.
|
15
|
+
|
16
|
+
This is a stub ntlm_helper. It always authenticates.
|
17
|
+
EOF
|
18
|
+
s.homepage = 'https://github.com/offshore-safety/stub-ntlm-helper'
|
19
|
+
|
20
|
+
s.files = `git ls-files`.split "\n"
|
21
|
+
s.test_files = `git ls-files -- {test,spec,features}/*`.split "\n"
|
22
|
+
s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
|
23
|
+
s.require_paths = ['lib']
|
24
|
+
|
25
|
+
s.add_development_dependency 'rspec'
|
26
|
+
s.add_development_dependency 'rake'
|
27
|
+
|
28
|
+
s.add_dependency 'bindata'
|
29
|
+
end
|
metadata
ADDED
@@ -0,0 +1,127 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: stub-ntlm-helper
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
hash: 29
|
5
|
+
prerelease:
|
6
|
+
segments:
|
7
|
+
- 0
|
8
|
+
- 0
|
9
|
+
- 1
|
10
|
+
version: 0.0.1
|
11
|
+
platform: ruby
|
12
|
+
authors:
|
13
|
+
- Scott Robinson
|
14
|
+
- Mustafa Sezgin
|
15
|
+
autorequire:
|
16
|
+
bindir: bin
|
17
|
+
cert_chain: []
|
18
|
+
|
19
|
+
date: 2011-11-22 00:00:00 +11:00
|
20
|
+
default_executable:
|
21
|
+
dependencies:
|
22
|
+
- !ruby/object:Gem::Dependency
|
23
|
+
name: rspec
|
24
|
+
prerelease: false
|
25
|
+
requirement: &id001 !ruby/object:Gem::Requirement
|
26
|
+
none: false
|
27
|
+
requirements:
|
28
|
+
- - ">="
|
29
|
+
- !ruby/object:Gem::Version
|
30
|
+
hash: 3
|
31
|
+
segments:
|
32
|
+
- 0
|
33
|
+
version: "0"
|
34
|
+
type: :development
|
35
|
+
version_requirements: *id001
|
36
|
+
- !ruby/object:Gem::Dependency
|
37
|
+
name: rake
|
38
|
+
prerelease: false
|
39
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
40
|
+
none: false
|
41
|
+
requirements:
|
42
|
+
- - ">="
|
43
|
+
- !ruby/object:Gem::Version
|
44
|
+
hash: 3
|
45
|
+
segments:
|
46
|
+
- 0
|
47
|
+
version: "0"
|
48
|
+
type: :development
|
49
|
+
version_requirements: *id002
|
50
|
+
- !ruby/object:Gem::Dependency
|
51
|
+
name: bindata
|
52
|
+
prerelease: false
|
53
|
+
requirement: &id003 !ruby/object:Gem::Requirement
|
54
|
+
none: false
|
55
|
+
requirements:
|
56
|
+
- - ">="
|
57
|
+
- !ruby/object:Gem::Version
|
58
|
+
hash: 3
|
59
|
+
segments:
|
60
|
+
- 0
|
61
|
+
version: "0"
|
62
|
+
type: :runtime
|
63
|
+
version_requirements: *id003
|
64
|
+
description: |
|
65
|
+
Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
|
66
|
+
|
67
|
+
I feel for you.
|
68
|
+
|
69
|
+
Sometimes, passwords and security and Kerberos just don't matter.
|
70
|
+
|
71
|
+
This is a stub ntlm_helper. It always authenticates.
|
72
|
+
|
73
|
+
email:
|
74
|
+
- sr@thoughtworks.com
|
75
|
+
- msezgin@thoughtworks.com
|
76
|
+
executables:
|
77
|
+
- stub-ntlm-helper
|
78
|
+
extensions: []
|
79
|
+
|
80
|
+
extra_rdoc_files: []
|
81
|
+
|
82
|
+
files:
|
83
|
+
- .gitignore
|
84
|
+
- Gemfile
|
85
|
+
- LICENSE
|
86
|
+
- README.md
|
87
|
+
- Rakefile
|
88
|
+
- bin/stub-ntlm-helper
|
89
|
+
- lib/stub-ntlm-helper.rb
|
90
|
+
- spec/challenge_spec.rb
|
91
|
+
- stub-ntlm-helper.gemspec
|
92
|
+
has_rdoc: true
|
93
|
+
homepage: https://github.com/offshore-safety/stub-ntlm-helper
|
94
|
+
licenses: []
|
95
|
+
|
96
|
+
post_install_message:
|
97
|
+
rdoc_options: []
|
98
|
+
|
99
|
+
require_paths:
|
100
|
+
- lib
|
101
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
102
|
+
none: false
|
103
|
+
requirements:
|
104
|
+
- - ">="
|
105
|
+
- !ruby/object:Gem::Version
|
106
|
+
hash: 3
|
107
|
+
segments:
|
108
|
+
- 0
|
109
|
+
version: "0"
|
110
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
111
|
+
none: false
|
112
|
+
requirements:
|
113
|
+
- - ">="
|
114
|
+
- !ruby/object:Gem::Version
|
115
|
+
hash: 3
|
116
|
+
segments:
|
117
|
+
- 0
|
118
|
+
version: "0"
|
119
|
+
requirements: []
|
120
|
+
|
121
|
+
rubyforge_project:
|
122
|
+
rubygems_version: 1.6.2
|
123
|
+
signing_key:
|
124
|
+
specification_version: 3
|
125
|
+
summary: This is a stub ntlm_helper. It always authenticates.
|
126
|
+
test_files:
|
127
|
+
- spec/challenge_spec.rb
|