Re: [SQU] Credentials forwarding?

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Chemolli Francesco (USI)" <ChemolliF@GruppoCredit.it>
Cc: <squid-dev@squid-cache.org>
Sent: Wednesday, January 10, 2001 1:50 AM
Subject: Re: [SQU] Credentials forwarding?

> Chemolli Francesco (USI) wrote:
>
> > Now for the hard part, who will code this? :-)
>
> Done, tested and committed.
>
> Should work for authenticated "ntlm" users as well.
>
> Regarding the auth cache issue: I do still regard that as a minor issue
> which the benefits from using a well known HTTP mechanism far
> outweights. And I think it can easily be fixed by adding a structure to
> the usernames. For example user@something, and then only use the
> "something" part for the cache and helper.

I'm not quite sure I follow on the use@something... could you elaborate?

The auth_cache isn't an issue - just a minor resource waste. What I do consider an issue is the fact that
a) it's replayable ( I know - broken record)
b) the upstream cache's own authentication mechanism gets trodden all over. The point being that we're not doing procy
authentication here, we're doing name passing.
Just using Proxy-Auth, the upstream cache has potential namespace collisions (Yes appending -mycacheid to the username can fix that
login=*@cache1.com:password for example). AND cannot easily simultaneously authenticate the actual proxy and other users (ie they
have a RADIUS based authenticator, that all their local users use. They have to code a special case to detect and authenticate the
overloaded proxy case. And we're still extending rfc 2616 - without addressing the core issue.

> And regarding the replay issue: This is a issue with the login= option
> in general, and can be addressed by using some better scheme (for
> example digest). Please note that proxy-authentication is by definition
> hop-by-hop.

Yes I agree. I sat down and thought it through (see my large email).
Received on Tue Jan 09 2001 - 08:10:04 MST