Re: PAM authentication module

Scott Harbin wrote:

> I am trying to get PAM to work on my Squid box. I am running Redhat linux
> 5.1. It uses the /etc/passwd file to verify users correct?

It uses whatever method you configure for the squid service in PAM
configuration. See pam_auth.c and your PAM documentation for details.

PAM documentation for RedHat is in /usr/doc/pam-<version>/txts/pam.txt,
like for most other RedHat packaged packages.

Hint: See what the PAM configuration for other services on your system
looks like, and make a similar configuration for the squid service.

Squid only uses the auth and account management types in PAM, so you can
ignore the other PAM management types (password and session).

For my RedHat 6.0 system, PAM would be configured like this if
authenticating to the system password file:
--- /etc/pam.d/squid ---
auth required /lib/security/pam_pwdb.so shadow
account required /lib/security/pam_pwdb.so
------------------------

To test if you have the PAM configuration correct you can run the
authentication module manually from a command line, and manually type in
"username password" pairs (without quotes). Remeber that if your system
uses shadow password file then the program needs to run as root or it
will only be able to authenticate the password for the user who runs it.
This means that when installed it needs to be suid root if you want to
authenticate against shadow password file.

Most people consider it a bad idea to have proxy users in the proxy
systems password file from a security point of view. The general setup
of a proxy server is a standalone machine with as few UNIX accounts as
possible. The proxy box security is important from several aspects:

a) It is often a "single point of failure". If it crashes then people
configured to use it as a proxy will not be able to reach the net, and
the likelyhood for crashes is higher if you have other people running
other programs on the same box.
b) log files (and some cache contents) contain contain information which
could affect your users privacy.
c) If a malicous user is able to log on to the box, then he/she can
often replace the proxy service with his own version, and thereby be
able to sniff peoples passwords both for proxying, but also for access
to various web services like web mail and other sensitive stuff.

> Can you enlighten me on the syntax in the squid.conf file?
> I have it as it says in the squid.conf comments, but it doesnt work.

squid.conf only includes the path to the authentication program, and
possibly a lists of users that should be given certain permissions (or
not). For the PAM module the configuration on how to authenticate the
users is inside the PAM config.

--
Henrik Nordstrom
Spare time Squid hacker