Authentication question problems

Hi,

>From: Josh Kuperman <sar_kuper@sals.edu>
> I'm trying to set up squid for use in a public library with computers by
> our reference desk. What I want is for the databases and ready-reference
> material (e.g. http://www.m-w.com, http://www.thomasregister.com) to be
> available to anyone who want them without any authentication.
> I'd like the rest of the net to be available to authenticated users
> for say 15 minutes so that someone could look things up quickly. We have
> a computer lab where people can sign up for an hour (and stay on forever
> if no one else comes in.) I'd like to eliminate our current need to kick
> people out of the lab for people who just want to look at what's on a
> single web page and would then leave in five minutes.)

I have a set of Netscape terminals with similar requirements. In my case,
I have to keep people from using Netscape (all access) for more than 90
mins at a time.

I'm using a series of very ugly Perl hacks in order to manage this. (I
have no time to whip up something better... :)

The main problem with session control for squid auth is that web usage is
stateless - i.e. there is no "logged in" or "logged out" state for a user.

> But because many different people will use the machine there are two
> major authentication problems.
 
> 1. Once an IP address is authenticate it tends to stay authenticated. I
> turned the ttl down to 10 minutes. (I assumed that the default of 3600
> was in seconds and gave users an hour). But I can't find a way for a
> user to logout, so to speak, from the proxy-server. Thus if a person
> who I want to let to have unlimited access is done in 5 minutes and
> leaves, how do I stop someone else from sitting down and having full
> access. Note these are windows machine with unlimited access is done in
> 5 minutes and leaves, how do I stop someone else from sitting down and
> having full access. Note these are windows machine with no logins of
> any kind.

One of my scripts parses the access.log file, maintaining a "record" of
the time of the first access of each user (i.e. the first object retrieved
through Squid) and cuts off access 90 mins after that recorded time. (I
realize this is a bit unfair, as someone who merely logged in for 15 mins
gets logged off also 75 mins later).

I'm using squid-1.1.20 with the auth_acl patches. I have squid use a
"active" password file, and a script in cron deletes "timed out" users
from that file. Another script re-enables (adds) everyone at 9 am, 12
noon, 3 pm and 8 pm. (I told you it was kludgy).

I'm currently trying out Squid-2.1.PATCH2. If the IP authentication
"sticks" as you say, then I may have to rethink my scripts (kludge: maybe
a squid -k reconfig?)

> 2. Is there a way of stopping someone from just logging in over and over
> again. Henrik Nordstrom suggested delay pools as a way of approximating
> limiting the total time, which seems like an overly complicated method.
> I really think I'm trying to do a verysimple task. I was thinking there
> must be someway to just intercept the call to ncsa_auth (or modify in
> ncsa_auth) to just flag a login as having been used for the day.

In my case, deletion from the password file will prevent this.

The best solution, of course, is writing a custom auth program (based on
ncsa_auth) with these features. If I do get some time, I may try a
perl auth program (save to dbm file, etc).

- Elfredy Cadapan
- Institute of Computer Science, Univ. of the Philippines at Los Banos
     
Received on Fri Feb 26 1999 - 07:44:04 MST