Re: PATCH: Proxy Authentication patches

From: Arjan de Vet <Arjan.deVet@dont-contact.us>
Date: Thu, 6 May 1999 23:15:15 +0200 (CEST)

In article <3731E923.5684DC3E@hem.passagen.se> you write:

>> AUTH_WITH_IP:
>> Pass three arguments to the authenticator instead of two. The first is
>> now the source-ip address of the client (second and third are the
>> username and password as usual). Squid's authentication caching is
>> disabled if this is selected.
>
>Please make that as an additional third argument. No fun having
>different autentication modules for different builds of Squid..

The problem with making it a third argument is that you cannot have
spaces in your password anymore. The initial design I made assumes that
everything after the first space is the password, so you cannot have
more fields without breaking compatibility.

>Not sure I like this to much. I agree that it may be useful, but far
>more useful in a general perspective is to have the authenticator return
>a message to the user telling them why the password was not OK. Also,
>extending the protocol with a additional return code "DENY" might be a
>good idea, to allow the authenticator to return access denial message to
>the client without asking for authentication.
>
>Changing the logged username might be useful in conjunction with this,
>but I would prefer to see it done with some kind of magic key, like
>USER:<whitespace terminated string>.

What could be useful is making the authentication programs accept multi-line
requests (one item per line) and send multi-line responses. Example:

    command: authenticate
    username: myname
    password: sec ret password
    ipaddress: 1.2.3.4

possible responses:

    result: allow
    username: nickname # alternate name to be logged

    result: deny
    reason: password mismatch for user myname

This would be more flexible because external programs can ignore query
keywords they don't understand and squid can ignore response keywords it
doesn't understand.

Maybe redirectors can use the same scheme:

    command: redirect
    url: http://www.company.com/
    ipaddress: 1.2.3.4
    fqdn: myhost.company.com
    ident: me
    method: GET

    result: no-change

    result: redirect
    url: http://www.other.com/

This way external redirector and authentication programs become
instances of one general scheme of helper programs (maybe dnsserver can
participate too).

Arjan
Received on Tue Jul 29 2003 - 13:15:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:07 MST