Patch to authenticate securely to upstream ISA server(or others) from Markus Moeller on 2009-08-01 (squid-dev)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 1 Aug 2009 16:41:26 +0100

In some setups the upstream proxy requires a secue authentication method
(Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with
Negotiate.

Regards
Markus

Instructions

1) Add attached patch
2) Recreate configure e.g.
rm -f config.cache
rm -f acconfig.h
aclocal
autoconf
# acconfig
autoheader
automake -a
3) run configure; make
4) Configure Kerberos with AD as kdc
5) Create a keytab with an AD user (This will be the user for authenticating
squid to the ISA server) as follows
#ktutil
ktutil: addent -password -p markus_at_WINDOWS2003.HOME -k 1 -e rc4-hmac
Password for markus_at_WINDOWS2003.HOME:
ktutil: wkt mm.keytab
ktutil: quit
6) Set the keytab environment variable in the squid startup file with:
export KRB5_KTNAME=FILE:/etc/squid/mm.keytab
7) Add a line to squid.conf like
cache_peer isa.windows2003.home parent 8080 0 proxy-only no-query
login=NEGOTIATE
8) Contol parent access via never_direct or similar
never_direct allow all

Create a keytab for a user:

MIT

#ktutil
ktutil: addent -password -p markus_at_SUSE.HOME -k 1 -e rc4-hmac
Password for markus_at_SUSE.HOME:
ktutil: wkt mm.keytab
ktutil: quit

Heimdal

#ktutil -k mm_heim.keytab add
Principal: markus_at_SUSE.HOME
Encryption type: arcfour-hmac-md5
Key version: 1
Password:
Verifying password - Password:

Regards
Markus

application/octet-stream attachment: squid-2.7.STABLE6-peer-negotiate-auth.patch

application/octet-stream attachment: squid-3.0.STABLE16-peer-negotiate-auth.patch

Received on Sat Aug 01 2009 - 15:41:48 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 25 2009 - 12:00:06 MDT