Authentication questions problems

From: Josh Kuperman <sar_kuper@dont-contact.us>
Date: Thu, 25 Feb 1999 12:58:39 -0500

I am using Squid-2.1 on RedHat 5.2. I started trying to use authentication using the ncsa_auth program, which works well but doesn't do what I need.

I'm trying to set up squid for use in a public library with computers by our reference desk. What I want is for the databases and ready-reference material (e.g. http://www.m-w.com, http://www.thomasregister.com) to be available to anyone who want them without any authentication.

I'd like the rest of the net to be available to authenticated users
for say 15 minutes so that someone could look things up quickly. We have a computer lab where people can sign up for an hour (and stay on forever if no one else comes in.) I'd like to eliminate our current need to kick people out of the lab for people who just want to look at what's on a single web page and would then leave in five minutes.)

But because many different people will use the machine there are two major authentication problems.

1. Once an IP address is authenticate it tends to stay authenticated. I turned the ttl down to 10 minutes. (I assumed that the default of 3600 was in seconds and gave users an hour). But I can't find a way for a user to logout, so to speak, from the proxy-server. Thus if a person who I want to let to have unlimited access is done in 5 minutes and leaves, how do I stop someone else from sitting down and having full access. Note these are windows machine with no logins of anykind.

This is really a minor problem as it would just give an unauthenticated user a few minutes.

2. Is there a way of stopping someone from just logging in over and over again. Henrik Nordstrom suggested delay pools as a way of approximating limiting the total time, which seems like an overly complicated method. I really think I'm trying to do a verysimple task. I was thinking there must be someway to just intercept the call to ncsa_auth (or modify in ncsa_auth) to just flag a login as having been used for the day. Something on the order of a PERL script or even a shell script front end with something like

#!/bin/make-believe-shell-where-stuff-like-works
if [ -f /tmp/$USERNAME ]; then
        return=ERR
else {
        touch /tmp/$USERNAME ;
        return= whatever ncsa_auth would've returned.
}

Of course if there was something in the squid.conf to limit the number of times a user can login this would be unneeded.
        
touch /tmp/$USERNAME

--
Josh Kuperman        Saratoga Springs Public Library
sar_kuper@sals.edu   49 Henry St  
518.584.7860x211     Saratoga Springs, NY 12866
http://www.library.saratoga.ny.us 
Received on Thu Feb 25 1999 - 10:59:59 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:44 MST