Re: [SQU] is this possible

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sun, 21 Jan 2001 22:40:03 +1100

To this - Use the source luke. Yes it is possible to code into squid a fallback position when authentication fails of trying some
other system, but no one has done it as yet.

Or you could look into use the extended basic auth helper protocol, and add a response code of UNKNOWNUSER so that squid can tell
the difference between a incorrect password and an unknown usercode. Note that that is not guaranteed to be possible with all
backend helpers - that knowledge is often used as part of a cracking attack to establish system usercodes.

I.e. if checking the authentication against the second server results in responses that take .2 seconds to deny access instead of .1
second to deny access, then a cracker will be able to find out all the user names of your first user database by brute force.

Rob

----- Original Message -----
From: "Devin Teske" <devinteske@hotmail.com>
To: <hno@hem.passagen.se>; <squid-users@ircache.net>
Sent: Sunday, January 21, 2001 6:00 PM
Subject: Re: [SQU] is this possible

> > > My computer authenticates users but if they are not in my passwd file I
> >want
> > > to pass everything on to another proxy server. Possible?
> >
> >Not quite. To Squid a non-existant user is the same as invalid password.
>
> Yeah, that wasn't really the answer I was looking for. I really need to do
> this. Is there maybe a way I can set up to use their password file in
> conjunction with mine? (not too good since they won't let me do that). I
> really need SOME way to do that.
>
> The specs I know are that the server that I will be using as a peer is on
> Windows NT 4 using CSM Proxy Server Enterprise. This proxy server will
> basically doing most of the work. It will be going online, retrieving
> resources, and authenticating.
>
> I just want to set up my server as a throughput device that will augment to
> that servers capabilities. Like add new users, add new features etc. Like I
> was thinking there must be a feature like this...
>
> ...
> acl password proxy_auth REQUIRED
> http_access allow password
> http_access allow !password cache_peer
> ...
>
> Not exactly how I would say that but that last line is supposed to mean if
> the authentication from this machine is no good but the authentication is
> good from the other machine, then allow it. Or maybe another way to do it
> might be to say "If the authentication from this machine fails, try to
> authenticate the user on the peer machine."
>
> Can't either of those statements be carried out? I think that there must be
> a way to do such a thing.
>
> Please help me out, Thanks,
> Devin Teske
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sun Jan 21 2001 - 04:43:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:30 MST