Date: Fri, Oct 08, 1999 at 08:35:41PM -0500
Quoting Chris Dillon (cdillon@wolves.k12.mo.us):
I´ve learned, that the identd - thing seems to be a solution for you,
but running some thousands of M$-Workstations with rather strict implementations
this seems to be rather a overhead.
How the hell is M$-Proxy doing it?
Yours, Woifi.
> > > Much to my dismay, I find that I'm going to have to at least look at this
> > > option, as well. I'm not thrilled because this is basically worthless from
> > > a security point of view and fairly useless from an authentication one, but
> > > I just do what I'm told :-)
> > >
> > > At any rate, I can see that this discussion could fairly quickly flow into
> > > the "off-topic" space, so I'd like to suggest that we put together a small
> > > working group to work seperately from the squid-users list and then report
> > > back on our findings. I'd be happy to try to coordinate such an effort if
> > > others see a need.
> >
> > I've been doing exactly this since late last year. So far nearly all
> > of our workstations are running Windows95, and each one must log on to
> > a Windows NT domain. Using the logon scripts, I install and run an
> > ident server on each workstation each time a user logs in. The ident
> > server returns the name of the user currently logged in.
> >
> > See http://www.acs.ucalgary.ca/~mmastrac/files/identd.html for an
> > excellent identd server for 9X/NT that works exactly like it should in
> > this situation... invisibly. :-) I even identified an RFC compliancy
> > issue of this identd server that caused Squid to handle the ident
> > replies incorrectly (Squid was changed, too, so as to not be so
> > strict). I'm still using version 1.3, and I see that he has 1.5 out.
> > I'll have to download it next week and see what is new. If you need
> > help with the logon scripts that use this, send me another message
> > privately.. no sense in clogging things up here.
> >
> > I don't use it for authentication, which would be ridiculous, but
> > rather a "helper" for finding out who went where when the inevitible
> > question arises when someone thinks someone went where they shouldn't
> > have (I work for a K-12 school district). My only other alternative
> > was to match the IP address in the Squid logs to a DHCP lease to get a
> > NetBIOS machine name, and then match that machine name to the security
> > audit logs on each of the NT domain controllers to find out who was
> > logged into that workstation at that time. What a pain! Should a
> > definite answer be required, I still have to check things the hard
> > way, since ident can't be relied on for proof-positive logging for the
> > same reasons it can't be relied on for authentication.
> >
> > I suppose if your users are ignorant enough (I'm betting most of mine
> > are), they won't know that ident is being used for authentication, and
> > even if they did, they'd have to know how to subvert that. Security
> > through obscurity and/or ignorance. Not good practice, but when its
> > that or nothing... Maybe someone who needs this kind of thing badly
> > enough can develop a secure way to do transparent authentication to be
> > used with Squid.
> >
> >
> > -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net
> > FreeBSD: The fastest and most stable server OS on the planet.
> > For Intel x86 and Alpha architectures (SPARC under development).
> > ( http://www.freebsd.org )
> >
> > "One should admire Windows users. It takes a great deal of
> > courage to trust Windows with your data."
---end quoted text---
-- --- We are but packets in the Internet of life.Received on Wed Nov 10 1999 - 09:10:38 MST
This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT