Re: [squid-users] NTLM - log failed authentications

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 05 Nov 2009 17:40:06 +1300

Alejandro Bednarik wrote:
> Hi all!. I am using squid stable 2.6.stable18. and i need to log
> failed authentications attempts or at least some info to look. I
> noticed that NTLM don't log the username if it is fails, ldap_auth do
> that so i can parse the log to find something like TCP_DENIED/407, a
> low ts value and a username to find a possible login attempt. Is there
> any way i can do something about, when squid use ntlm to authenticate
> the user?

Squid always logs the username when its available.

NTLM is an authentication mechanism that does not use usernames. It
pases around encoded binary hashes instead.

I think you need to change your concept a little bit. The real
identifier of whether a request is a login attempt is whether the
browser has included a Proxy-Authorization: header.

You can log that by adding %{Proxy-Authorization}>h to the log format if
you like. However be aware that one username cannot be derived out of
the hash and one username has multiple hashes over time.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14
Received on Thu Nov 05 2009 - 04:40:27 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 05 2009 - 12:00:03 MST