[squid-users] pam_auth errors from squid from Brian J. Murrell on 2007-10-11 (squid-users)

From: Brian J. Murrell <brian@dont-contact.us>
Date: Thu, 11 Oct 2007 08:38:00 -0400

I seem to have a plethora of pam_auth errors originating from the
account that my squid3 (3.0.RC1) server is using. For example:

04:17:18 (pam_auth) (pam_unix) authentication failure; logname= uid=13 euid=13 tty= ruser= rhost= user=brian
04:23:35 (pam_auth) (pam_unix) authentication failure; logname= uid=13 euid=13 tty= ruser= rhost= user=brian
04:47:18 (pam_auth) (pam_unix) authentication failure; logname= uid=13 euid=13 tty= ruser= rhost= user=brian

I'm assuming that these are somehow related to the authentication that I
have configured my squid3 to require. I have my auth_param settings as
follows:

auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Which should, via pam, authenticate the user against my Kerberos
database.

Interestingly enough, a read through the squid_pam_auth manpage suggests
that without a "-s"[1] argument squid3 will use the "squid" service
name, however I don't have a "squid" service defined in my pam
configuration:

# ls /etc/pam.d/
chfn common-account common-password cron lmtp other quagga sieve su
chsh common-auth common-session imap login passwd samba ssh sudo

So I'm not even sure how that authentication is working (but it is) at
all.

But back to the pam_auth errors... why would those errors be happening?
I only ever get asked for my proxy password at the start of a browser
session and never again until I close the browser and start again. I
suspect that every 2 hours (as per my config above) the proxy and
browser have to handshake the auth again, but that password shouldn't be
any more wrong than it was the first time, right?

Any ideas?
b.

[1] there is a conflict in the manpage:

       squid_pam_auth [-n "service name"] [-t TTL] [-o] [-1]
...
       -s service-name
              Specifies the PAM service name Squid uses, defaults to "squid"

There is also a speeling error in the manpage:

specifies how long the connetion will be kept open (in seconds).
^

-- 
My other computer is your Microsoft Windows server.
Brian J. Murrell

application/pgp-signature attachment: This is a digitally signed message part

Received on Thu Oct 11 2007 - 06:37:59 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT