[SQU] SUMMARY: Proxy Authentication Issues from HUNT

From: HUNT_STEVE <HUNT_STEVE@dont-contact.us>
Date: Fri, 2 Mar 2001 09:33:32 -0800

Thank you all for your suggestions.

I want to use Squid to allow authenticated users from outside our network to
relay traffic through our IP address space, so that they may access
IP-restricted information resources maintained by third parties. E.g.:
encyclopedias, magazine article databases. These third parties aren't
running https, and they want us to authenticate the users, they don't want
to do it themselves.

I have not looked at IPSec before, as Henrik suggests. I'm not sure if I
can use it to do what I want to do.

Here is a link from the Linux FreeS/WAN project (an implementation of IPSEC
& IKE for Linux. "IPSEC is Internet Protocol SECurity. It uses strong
cryptography to provide both authentication and encryption services."
http://www.xs4all.nl/~freeswan/

Jason Haar said "Basic plus switched network - end of problem! ;-)"
I do have a switched network here in our LAN, but these users are coming
into our proxy server from ISPs. So I don't think I can rest easy.

Jim Drash said that SecurID works great, but it is apparently a commercial
product. I can't buy licenses for 30,000 students!

So it seems there is no cheap (free) secure way to do this?

Henrik Nordstrom wrote:

> > > Alternatives to Basic Authentication include SSL-encrypted Basic
> > > Authentication, NTLM (NTCR) authentication, and Digest
> authentication.
> > Each
> > > of these has problems also.
> >
> > Yes.
>
> No. SSL-encrypted Basic authentication is not an real option for
> proxies.
>
> What is an option for proxies is to use a separate login
> method outside
> the HTTP protocol. In most cases this is limited to IP based access
> control.
>
> Or as you say, set up secure tunnels for the traffic between
> the clients
> and the proxy, using IPSec or any other secure tunelling method.
>
> Playing with cookies might be an option, but not when contacting https
> services. And still (if you manage to find a way to securely
> set up the
> session without having to lower the cookie security in the
> browser) you
> will have at least a recoverable session key that is transferred in
> "plain text" on the net.
>
> --
> Henrik Nordstrom
> Squid hacker

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html

Received on Fri Mar 02 2001 - 10:34:39 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:28 MST