RE: [squid-users] NTLM effect on access.log

On Tue, 2001-10-30 at 10:09, Tony Melia wrote:
> Robert - can you explain what exactly the 2 denied are for, what they do?
> Also the suggestion of a configure optino to get rid of one of them will at
> least cut access.log size down by 33% so it would be good to see that.

Sure, but it won't happen pre 2.6. NTLM needs to have any remaining bugs
ironed out before I'll consider such a hack.

The 2 deny entries are a result of the MS CHAP protocol - see
http://devel.squid-cache.org/ntlm. It also includes notes on what the
various authenticators do., and the helper API and NTLM over http
protocols.

> There seems to be a lack of 'easy to follow' documentation on NTLM, with a
> clear distinction between nocheck, fakeauth, NTLMSSP e.t.c.

I'm really not sure there is any special doco needed to setup NTLM.

I mean,
* the acl configuration is identical.
* the squid.conf.default documents all the in-squid options.
* The --enable-fail-open configure option is a known security hole and
not recommended therefore.
* The default ntlm options in squid.conf.default should be fine and
correct for most sites.
* The ntlmssp helper is self documenting (run with --help).
* The fakeauth and no_check helpers are exactly what they clain to be.
One fakes authentication, and one doesn't check. In fact, they are the
same thing, but one is C and one is perl.

The draft FAQ at the website I referenced above will be cleaned up and
updated and included in the main squid FAQ before 2.5 goes STABLE.

> I am thinking of writing a howto document on setting up NTLM authentication
> from scratch, would people be interested in having this available, or is it
> just me who thinks the documentation is difficult to follow?

More doco is welcome, feel free. If you write something, please be
willing to have it included in the squid FAQ/Manual (otherwise it will
simply split up the available doco resources for folk, and thats bot a
good thing.)

Rob
Received on Mon Oct 29 2001 - 16:31:34 MST