RE: Proxy with auth but without the request of the login+password every time

I haven't had any replies wanting to take this off-list, so I'll go ahead
and talk here :-)

Although the ident option could be used to improve the chances of
identifying abusers somewhat, there are a couple of things to consider.
First, there really isn't a way to confirm that the identity being presented
is really the identity of the person at the keyboard (note, this is the main
reason I don't like the so-called transparent authentication stuff). Since
ident is running inside the process space on the local machine, it is
relatively simple to modify it to present different credentials (i.e. log in
as a different user, hit "Cancel" on the Win '95 login prompt, etc.).
Furthermore, ident doesn't have a robust authentication or security
mechanism behind it, making it very easy to defraud.

Second, remember that those users who are most likely to want to bypass any
security mechanisms are also those who are most likely to have the
knowledge/experience to get past the security-through-obscurity stuff. In
many workplaces, for example, the end user is set up as a local
administrator in NT so they can install software. This means that they have
total control over that box, and can remove programs, modify system files,
etc.

Finally, identity is not very useful unless you can do some robust form of
authentication (i.e. if I say that I'm really the John Williams who composed
the theme music for Star Wars and Jaws, you wouldn't believe me unless I
were to provide some supporting evidence of my identity). Without
authentication, authorization becomes impossible since I can't decide what
you should have access to if I don't know for sure who you are.

This all just goes to underscore my main premise: end user convenience
frequently adds nothing to security at best, and completely undermines it at
worst. My guess, having just started looking at this, is that the HTTP
specs will need to be updated to allow another proxy header that would make
use of cookies or digital certificates to get a better way to verify an
identity. I've got a couple of brainstorm-level ideas that I'd be happy to
toss about, but I do really believe that it would go way off-topic so we
should do the discussion outside the list.

Jon

> -----Original Message-----
> From: Chris Dillon [SMTP:cdillon@wolves.k12.mo.us]
> Sent: Friday, October 08, 1999 8:36 PM
> To: Williams Jon
> Cc: 'Luciano Ghezzi'; squid-users@ircache.net
> Subject: RE: Proxy with auth but without the request of the
> login+password every time
>
> On Fri, 8 Oct 1999, Williams Jon wrote:
>
> > Much to my dismay, I find that I'm going to have to at least look at
> this
> > option, as well. I'm not thrilled because this is basically worthless
> from
> > a security point of view and fairly useless from an authentication one,
> but
> > I just do what I'm told :-)
> >
> > At any rate, I can see that this discussion could fairly quickly flow
> into
> > the "off-topic" space, so I'd like to suggest that we put together a
> small
> > working group to work seperately from the squid-users list and then
> report
> > back on our findings. I'd be happy to try to coordinate such an effort
> if
> > others see a need.
>
> I've been doing exactly this since late last year. So far nearly all
> of our workstations are running Windows95, and each one must log on to
> a Windows NT domain. Using the logon scripts, I install and run an
> ident server on each workstation each time a user logs in. The ident
> server returns the name of the user currently logged in.
>
> See http://www.acs.ucalgary.ca/~mmastrac/files/identd.html for an
> excellent identd server for 9X/NT that works exactly like it should in
> this situation... invisibly. :-) I even identified an RFC compliancy
> issue of this identd server that caused Squid to handle the ident
> replies incorrectly (Squid was changed, too, so as to not be so
> strict). I'm still using version 1.3, and I see that he has 1.5 out.
> I'll have to download it next week and see what is new. If you need
> help with the logon scripts that use this, send me another message
> privately.. no sense in clogging things up here.
>
> I don't use it for authentication, which would be ridiculous, but
> rather a "helper" for finding out who went where when the inevitible
> question arises when someone thinks someone went where they shouldn't
> have (I work for a K-12 school district). My only other alternative
> was to match the IP address in the Squid logs to a DHCP lease to get a
> NetBIOS machine name, and then match that machine name to the security
> audit logs on each of the NT domain controllers to find out who was
> logged into that workstation at that time. What a pain! Should a
> definite answer be required, I still have to check things the hard
> way, since ident can't be relied on for proof-positive logging for the
> same reasons it can't be relied on for authentication.
>
> I suppose if your users are ignorant enough (I'm betting most of mine
> are), they won't know that ident is being used for authentication, and
> even if they did, they'd have to know how to subvert that. Security
> through obscurity and/or ignorance. Not good practice, but when its
> that or nothing... Maybe someone who needs this kind of thing badly
> enough can develop a secure way to do transparent authentication to be
> used with Squid.
>
>
> -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net
> FreeBSD: The fastest and most stable server OS on the planet.
> For Intel x86 and Alpha architectures (SPARC under development).
> ( http://www.freebsd.org )
>
> "One should admire Windows users. It takes a great deal of
> courage to trust Windows with your data."
Received on Mon Oct 11 1999 - 13:29:02 MDT