Re: separate storage for RFC931 and proxy-auth user names

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <squid-dev@squid-cache.org>
Sent: Thursday, November 09, 2000 8:17 PM
Subject: Re: separate storage for RFC931 and proxy-auth user names

> The first way is intentional
>
> a) The request structure should be filled in with the available fields.
> You should not use ident to tell if the proxy_auth username should be
> filled in or not.

That was the prior case: I was keep the logic intact. Lets not test then -
we have just got the user we simply perform the copy?

> b) The selection between ident or proxy_auth username is done in
> redirect.c and access_log.c. The preferred priority is: proxy_auth,
> ident, "-".
>
>
> Having two fields in the redirector and access log is overkill I think,
> and have implications on all software making use of these...
>
> /Henrik

There are some problems:
* What if I am trying to hack the system - do you want the attempted
username or the ident username? Thats what the test in acl.c was for.
* I am trying to hack the system and I have broken Ident server that returns
"Administrator" (or whatever) all the time. I then try all the usernames I
can think of using basic authentication. Squid has no time-delay between
failed logins at the moment (yet another wish-list item)....

I think two fields is needed for access.log _because_ it's our audit trail.
Think one is ok for the redirector because it only sees requests with valid
auth_user accounts, falling back to ident.

Rob
Received on Thu Nov 09 2000 - 02:29:29 MST