On Thu, 19 Jun 1997, Mark Lachniet wrote:
> Any developments in having a RADIUS auth module written? I am still very
> interested..
>
While I'm also interested, I think we might have come up with a way
to implement RADIUS-based acl-type restrictions. Hopefully, no one
will point out glaring errors in this (but that's what this list is
here for, yes? :^)
I'm thinking of these entries in my squid.conf:
acl nowtime time "/usr/local/squid/etc/nowtime"
acl ISPprmt src "/usr/local/squid/etc/ISPprmt"
http_access allow localhosts
http_access allow ISPprmt nowtime
http_access deny all
-nowtime-
F 09:42-10:42
-ISPprmt-
206.231.166.171/255.255.255.255
etc. ...
The file "nowtime" is updated by a HTML form (that auths against
our RADIUS server), "ISPprmt" is also updated at the same time and
contains the source IP address and squid is HUP'd to force a read
of the new configuration. A cron'd job can check the modification
date/time of "nowtime" ... if over an hour old, both "nowtime" and
"ISPprmt" are /dev/null'd.
The HTML form is returned when users are denied access, so that
they can extend their access or start a new session easily.
A potential exploit is a user who accesses and has their access
extended by a later user (who updated nowtime and ISPprmt) as I've
no easy way to timestamp entries in ISPprmt (I could add bogus IPs
in the 10.x.x.x where the last three octets are a timestamp, but
is it *really* necessary?).
Anyone see a huge hole I've missed? Does this have possibilities
as a jiffy hack-implementation of RADIUS/squid authentication??
andrew. (brennan@auhs.edu)
"Have you changed your domain name today?"
Received on Thu Jun 19 1997 - 12:42:27 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:33 MST