Re: [SQU] Java Applet-Auth - New Feature?

----- Original Message -----
From: "Michael Smirnov" <smbsmb@mail.ru>
To: <squid-users@ircache.net>
Sent: Friday, December 29, 2000 7:06 AM
Subject: [SQU] Java Applet-Auth - New Feature?

> NB Squid developers!
> Is there a way to use with Squid an Java applet-based
> authentification, like in WinGate?

Not at this point in time. Such a feature could be added relatively easily, but I don't think it's likely that one of the squid
developers will create such a feature. (I can't speak for anyone other than myself of course).

> Or to combine it somehow with NCSA_auth?
Not at this point in time.

> I think we should do something to lower a number of entering passwords
> - that's where an Java applet can help.

Have a look at http://squid.sourceforge.net/ntlm
It covers MS 'seamless' security via NTLM. The users are not prompted for their password, and the data that crosses the wire is
somewhat encrypted. A bit of terminology is in order here, the standard squid uses the 'basic' authentication scheme. NCSA_auth is a
helper for the 'basic' scheme. The NTLM 'flavour' of squid uses the NTLM authentication scheme.

> Let the user know when he logs on and off.
>
> It was very easy to decompile this applet.
> That's how this applet work in WinGate:
> - If client's IP address is not in the WinGate's auth-table,
> the Java applet appears.
> - A user enters his login and password, then presses "Logon" button.
> Login and password are MD5-encoded and sent to the server.
> - Client's IP address is added to the WinGate's auth-table.
> - When the user presses "Logoff", Client's IP address is deleted from
> auth-table.
>
> Note, this mechanism has bad sides - for Example, on Win2000 with Terminal
> Services
> all users have access after first user authentificates in Java applet,
> because all the users have one IP address.
> I checked how Squid + NCSA_auth work on Termial Services -
> they don't have such bug, because the auth-table is not IP-address-based!

More importantly, IE sends the password on EVERY request to squid. However just using the MD5(login, password) doesn't protect the
username from being used in a replay attack. So both the java concept you are discussing and 'basic' authentication are not secure.

> However, when I open new Internet Explorer(IE) windows, it asks login and
> password again.
> IE doesn't ask anything, when I open a new child-window from an
> authentificated
> IE's window (by clicking Shift+Mouse on a link in this window).
> It asks password only when I open a new IE window.
>
> It is not so good for users, how it can be with such applet,
> because they don't like to enter their passwords too often.
> I think that storing the password in IE is a bad idea for my case:
> all the user have only one Win2000's login name and are not
> security-experienced.
> They can easily store the password, not knowing completely what they are
> doing.
> Note that this Java applet doesn't allow to store the password at all,
> so, is gives a good solution for this "non-exeperienced" users category!
>
> Does anyone want to look at Java sources of this applet to decide, if it
> can work with Squid?

It cannot work with squid at the moment - squid has no 'recieve authentication, and then allow a given IP to always be 'john'/'mary'
whatever.

I'd suggest looking into some user training - use Ctrl-N to open a new window. Or look into the NTLM flavour of squid referenced
above.

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html