RE: [squid-users] Trying to authenticate a user only once per working day

From: Mike Marchywka <marchywka_at_hotmail.com>
Date: Sun, 20 Dec 2009 08:15:06 -0500

----------------------------------------
> Date: Sun, 20 Dec 2009 23:41:14 +1300
> From: squid3_at_treenet.co.nz
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Trying to authenticate a user only once per working day
>
> Rodrigo Castanheira wrote:
>> Hi,
>>
>> I wish to authenticate (NTLM) our users only once per working day:
>>
>> authenticate_ip_shortcircuit_ttl 8 hours
>>
>> When the user browses for the first time, he will be authenticated and his
>> IP will be cached so that, for the next 8 hours, Squid believes that
>> requests coming from this IP belong to that user. Now comes the tricky part:
>> if that user logs off and somebody else logs in before those 8 hours expire,
>> Squid would mistakenly associate the same IP with the previous identity.
>
Anyway to use cookies here?

> This is the downside of IP-based authorization. (NOTE: this is NOT
> authentication).
>
>> As
>> our IE browsers are pre-configured with a standard home page, and the new
>> user couldn't avoid opening it before being able to go elsewhere, I tried
>> enforcing (re)authentication for the home page:
>>
>> acl HOME_PAGE url_regex -i homepage.intranet
>> authenticate_ip_shortcircuit_access deny HOME_PAGE
>>
>> It didn't work.
>> Does authenticate_ip_shortcircuit_access accept only IP acl's ?
>>
>
> One of the benefits of NTLM is that Windows can be configured to do it
> without generating the authentication popups ("single sign-on"). That is
> the best way to configure what you want. If you set it up that way the
> IP-based bypass does not need to be long.
>
> The short-circuit setting is a very risky bypass to reduce load on slow
> or overloaded auth servers. As you have seen, it allows people to
> trivially access resources under some other persons accounts. The longer
> its set to the more security risk you face.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
> Current Beta Squid 3.1.0.15
                                               
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/171222986/direct/01/
Received on Sun Dec 20 2009 - 13:15:13 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 21 2009 - 12:00:02 MST