Re: [SQU] Authenticate problem:

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sat, 23 Dec 2000 08:58:44 +1100

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Henk-Jan Kloosterman" <proxy@kloosterman.org>
Cc: <squid-users@ircache.net>
Sent: Saturday, December 23, 2000 2:04 AM
Subject: Re: [SQU] Authenticate problem:

> Henk-Jan Kloosterman wrote:
>
> > > The browser always authenticates, but Squid tries to cache this to not
> > > overload the backend database.
> >
> > Can I disable this cache? Cuase it realy "feels" that this is the problem.
>
> Most likely not. All this cache does is to lower the amount of requests
> to the backend authentication service. If you disable the cache then
> Squid will have to validate the password on each and every request. And
> since you use securid tokens this means that the user would have to
> generate a new passphrases mostly the whole time..
>
> > > Is the radius authentication sucessful, or is it repeated failures?
> >
> > No it is not succesfull: And there is the problem! The passwords change
> > ervery minute (we use a "secureid" token to generatie the password)
>

Does the user need a challenge to get the password, or do they just type in whats on the token at the time?

> Ok. So each user whould have to reauthenticate each authenticate_ttl
> then, possibly causing trouble if it happens in the middle of a page, or
> on a page partially cached in the client browser. If the users browser
> have or tries to open multiple connections to the proxy when the old
> passphrase expires then multiple requests for a new identification will
> be sent (one for each concurrent request not carrying a valid
> identification).
>
> Hmm.. maybe there are a proxy_auth cache defiency there. In theory the
> first request carrying the new passphrase would be sent to the
> authenticator, but maybe all are until the authenticator returns. Need
> to check the code on this.
>

The Auth_rewrite branch should have this fixed as a 'freebie'. I'll check when I get fully back on deck. If not then then it will be
trivial to fix in auth_rewrite.

> > > What is your settings of
> > >
> > > authenticate_ttl
> >
> > 3600
>
> Fine.
>
> > > authenticate_ip_ttl
> >
> > 3600
>
> This might also be one source if the same userid tried to access Squid
> from two or more different IP's.
>

This is fixed in auth_rewrite. We compare the passwords. in memory without an external trip.

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Fri Dec 22 2000 - 14:53:24 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:06 MST