RE: [SQU] Authentication with Kerberos - WARNING from Robert Collins on 2001-01-24 (squid-users)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Thu, 25 Jan 2001 10:53:46 +1100

Actually HTTP allows new authentication schemes to be defined, that do
NOT send the username and password in clear text. RFC 2617 defines one
such mechanism, and Microsoft have been using another - NTLM - for
years. The MS is broken in some respects, but there is no fundamental
reason that Kerberos proxy authentication cannot be utilised. MS Have
built this capability into IIS 5, and AFAIK into IE 5.5. It's probably a
good research topic to see what they've done.

There are specifications for adding kerberos as a session key /key
exchange method for TIS, but that doesn't help on straight http.

Finally, any authentication method that is not easily hacked on a LAN
will require either a) encrypted data links (ie ipsec from browser to
proxy) or b) per request authentication that uses the shared secret and
the URL being requested in a deterministic, non guessable fashion.

So authenticating to a SSL encrypted page will not help much..

Rob

> -----Original Message-----
> From: Jai Lamerton [mailto:jlamerto@scu.edu.au]
> Sent: Thursday, 25 January 2001 9:30 AM
> To: Christian Recktenwald
> Cc: squid-users@ircache.net
> Subject: Re: [SQU] Authentication with Kerberos - WARNING
>
>
> Good point. I wonder if there would be a way to authenticate to a ssl
> httpd page and use that auth for squid access. If you follow my drift.
>
> Jai.
>
> On Wed, 3 Jan 2001, Christian Recktenwald wrote:
>
> > On Wed, Jan 03, 2001 at 03:07:25PM +1100, Jai Lamerton wrote:
> > > Hi all,
> > > I was wondering if anyone has tried to get proxy authentication to
> > > work with kerberos?
> >
> > Using Kerberos for proxy auth would circumvent kerberos'
> > security as the login/password are transferred in clear text
> > in HTTP. You will compromise your whole site's security.
> >
> > The only way around this would be using exclusively SSL/TLS
> to access
> > the cache. I don't know if this is possible - anyone?
> >
> > --
> > Christian Recktenwald : :
> > citecs GmbH : chris at citecs dot de :
> > Unternehmensberatung fuer : voice +49 711 601 2090 :
> Burgstallstrasse 54
> > EDV und Telekommunikation : fax +49 711 601 2092 :
> D-70199 Stuttgart
> >
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Wed Jan 24 2001 - 17:01:32 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:34 MST