Re: Authentication: Time and Monetary contributions from Henrik Nordstrom on 2007-04-02 (squid-dev)

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 02 Apr 2007 15:16:27 +0200

lör 2007-03-31 klockan 12:27 -0500 skrev Stefan Adams:

> 1) I understand that a browser asks a user for authentication because
> the proxy server instructs the browser that it needs credentials. My
> idea is to provide a server-side caching option within squid that
> would only ask the browser for credentials periodically. This would
> be similiar to having server-side authentication options turned on and
> off frequently. When the cache is expired or empty, authentication
> would be turned on and the browser would be asked for credentials.
> While there is data in the cache, authentication would be turned off
> and the browser would not be asked for credentials.

Hmm.. hasn't I published my small project doing this for NTLM? Looking,
apparently not. Fixing that..

Will be available on devel.squid-cache.org tomorrow after the next web
site update. Until then you can browse the branch at
http://devel.squid-cache.org/changesets/squid2/ntlm_ip_cache/

> independent. IP addresses are of course easily spoofed, but perhaps
> some counter-tricks could be devised. As a last resort, simply
> providing this as a feature and noting its weaknesses would be highly
> valuable, I think.

IP is thankfully not easily spoofed, but may be shared by multiple users
in some situations (child proxy or multi-user station/server).

> 2) I am interesed in the IDENT mechanism for authentication. However,
> there are very few good ident applications in existence and worse,
> these applications need to be installed on every client PC. Worst, of
> course, is the ease of spoofability. I would like to propose a twist
> on the ident method. A new feature could be that instead of squid
> asking the client machine who that individual is (which is unreliable
> at best), squid should ask a server. What server would know who is
> using the machine?

This is supported via the external acl mechanism.

The last question, "What server to ask?" is left open as there is no
standard such server. Such servers exists in a number of environments,
but each being a bit different..

> In the case of a windows PC, a domain controller
> (Samba or ADS). Surely a method could be devised that squid could ask
> a Samba server who is logged in on a particular IP address.

A windows DC doesn't keep that close track of it's clients. At most it
can keep track of the users who authenticated using this DC, not any
other DC in the domain. But usually it doesn't even keep track of that..

Regards
Henrik

application/pgp-signature attachment: Detta �r en digitalt signerad meddelandedel

Received on Mon Apr 02 2007 - 07:16:33 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Apr 29 2007 - 12:00:03 MDT