Re: Access Control question

From: Finbarr O'Kane \(Sysadmin\) <>
Date: Tue, 6 Oct 1998 02:36:44 +0100 (IST)

On Tue, 6 Oct 1998, Henrik Nordstrom wrote:

{} Finbarr O'Kane (Sysadmin) wrote:
{} > This is fine, but what we are hoping to do is to not only restrict by
{} > requiring a username/password, but to also restrict by the hostname that
{} > a current user is requesting proxied http from
{} > user joebloggs , logs onto 'itchy', and sets up his proxies as usual,
{} > authenticates and everything is fine.
{} >
{} > if he then proceeds the log onto 'scratchy' then squid still lets him
{} > through since he has provided a valid username and password.
{} Sorry. I do not understand what you are talking about here.
{} Proxy username & password are cached by the browser, not by Squid. If
{} the user starts another browser then he has to authenticate again unless
{} he has provided his username+password to his browser by some other means
{} than manual authentication.
{} > If anyone has any suggestions on how to perhaps restrict this on both
{} > levels then I would be most appreciative.
{} >
{} > If moving to squid-2.0 is required, then so be it :)
{} With Squid 2.0 detailed access restrictions are possible, but it
{} requires a large amounts of ACL lists.
{} acl host_scratchy src scratchy
{} acl host_itchy src itchy
{} acl user_joebloggs user joebloggs
{} acl user_finbarr user finbarr
{} # Allow joebloggs from itchy
{} http_access allow user_joebloggs host_itchy
{} # Allow finbarr from scratchy
{} http_access allow user_finbarr host_scratchy
eeek, this is on a campus, with over 2000 members that frequently if not
always use the web.

Im sorry if i didnt make myself in any way clear on this.

From our point of view (adminwise) we want our users to be able to access
the web by proxying via squid with password authentication (as you point
out, done by the browser)

however, in order to try and preserve bandwidth and reduce user abuse of
usernames by sharing them around.

I guess its a bit of a tall order, but what we would like to do is

if I, finbarr, was logged in on itchy
and i then decided to ALSO log in on scratchy and let my friend use the
browser.... this would be using the same username to access from 2
different hosts at /the same time/

This, from our point of view is 'a bad thing' and if possible we would
like to make life more difficult, if not prevent, a user from doing so and
hence giving an entire lab full web access on the basis of one account ;)



 {} ---
{} Henrik Nordström
{} Sparetime Squid Hacker
Received on Mon Oct 05 1998 - 18:38:34 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:42:20 MST