On Fri, 8 Oct 1999, Williams Jon wrote:
> Much to my dismay, I find that I'm going to have to at least look at this
> option, as well. I'm not thrilled because this is basically worthless from
> a security point of view and fairly useless from an authentication one, but
> I just do what I'm told :-)
>
> At any rate, I can see that this discussion could fairly quickly flow into
> the "off-topic" space, so I'd like to suggest that we put together a small
> working group to work seperately from the squid-users list and then report
> back on our findings. I'd be happy to try to coordinate such an effort if
> others see a need.
I've been doing exactly this since late last year. So far nearly all
of our workstations are running Windows95, and each one must log on to
a Windows NT domain. Using the logon scripts, I install and run an
ident server on each workstation each time a user logs in. The ident
server returns the name of the user currently logged in.
See http://www.acs.ucalgary.ca/~mmastrac/files/identd.html for an
excellent identd server for 9X/NT that works exactly like it should in
this situation... invisibly. :-) I even identified an RFC compliancy
issue of this identd server that caused Squid to handle the ident
replies incorrectly (Squid was changed, too, so as to not be so
strict). I'm still using version 1.3, and I see that he has 1.5 out.
I'll have to download it next week and see what is new. If you need
help with the logon scripts that use this, send me another message
privately.. no sense in clogging things up here.
I don't use it for authentication, which would be ridiculous, but
rather a "helper" for finding out who went where when the inevitible
question arises when someone thinks someone went where they shouldn't
have (I work for a K-12 school district). My only other alternative
was to match the IP address in the Squid logs to a DHCP lease to get a
NetBIOS machine name, and then match that machine name to the security
audit logs on each of the NT domain controllers to find out who was
logged into that workstation at that time. What a pain! Should a
definite answer be required, I still have to check things the hard
way, since ident can't be relied on for proof-positive logging for the
same reasons it can't be relied on for authentication.
I suppose if your users are ignorant enough (I'm betting most of mine
are), they won't know that ident is being used for authentication, and
even if they did, they'd have to know how to subvert that. Security
through obscurity and/or ignorance. Not good practice, but when its
that or nothing... Maybe someone who needs this kind of thing badly
enough can develop a secure way to do transparent authentication to be
used with Squid.
-- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net
FreeBSD: The fastest and most stable server OS on the planet.
For Intel x86 and Alpha architectures (SPARC under development).
( http://www.freebsd.org )
"One should admire Windows users. It takes a great deal of
courage to trust Windows with your data."
Received on Fri Oct 08 1999 - 19:46:49 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:48:46 MST