RE: [squid-users] Windows Authentication Helper client

From: David Parks <davidparks21_at_yahoo.com>
Date: Fri, 26 Mar 2010 16:32:55 -0600

Just a thought - it's something I haven't implemented, but it might be worth
you looking into (and hey, if it's useful to you let me know):

I did read along the way that you can use SSH to do a port forward to the
proxy server (there are some write-ups on this indexed in google). This
allows you to secure the connection to the proxy.

Although it wasn't specified in those articles, it seems reasonable to
consider the possibility of maintaining user authentication through SSH. You
could even require a client certificate, thus avoiding passwords altogether
while maintaining relative security.

Again, I haven't thought it out completely, just tossing out an idea for you
to look into.

David

-----Original Message-----
From: Matt Richards [mailto:matt_at_mattstone.net]
Sent: Friday, March 26, 2010 4:17 AM
To: squid-users_at_squid-cache.org
Subject: [squid-users] Windows Authentication Helper client

Hello,

Does anybody know if any technique or application that will allow windows
machines (XP and 7) to authenticate against a proxy when applications don't
support proxy authentication.

What I am looking for is an alternative to Novell's Client Trust, its an
application that sits in the system tray and when a user attempts to use the
proxy the proxy will connect back to the IP address of the requesting
machine on a specific port and talk to the client trust application to
establish what user is logged on to the machine.

At the moment we have a number of authentication mechanisms setup, including
Kerberos, NTLM, basic and a web based login form if the machine is not a
member of our domain or logged into a guest account.
This all works well most of the time but there are a few cases where the
software just fails to work when it tries to connect and pointing the
machine (IE or the software) at a proxy that doesn't require authentication
work without issue.

It also works if the machine is logged in as our guest user and the user
authenticates to the web form as this doesn't require the software to
authenticate as the proxy knows to map that IP address to the authenticated
user.

I have looked through the internet and thought about this for a while now
and I still haven't really been able to come up with anything that doesn't
involve writing our own application for the workstation and an
authentication helper for squid. My programming skills are basic.

There was one thought I had which was to write scripts to add an entry in a
database (memcache) after a request for a page from a successful login and
then check this database in one of the steps in attempting to identify the
user. I would probably use storeurl_rewrite_program to update the database.
Only issues with this is working out what I would set the timeout to (users
bounce around machines here quite a lot), if this would slow down the proxy
too much (~120 requests per second for each proxy), and if the application
is an exam application (downloads content, no network usage for 40 mins
while they answer questions, then uploads the results) so it times out
before the upload and also for this to work they will have to request
content and successfully authentication before they will have a cache entry.

Sorry for the long email, if anybody has any ideas I would really like to
hear about them.

Cheers,

Matt.
Received on Fri Mar 26 2010 - 22:33:08 MDT

This archive was generated by hypermail 2.2.0 : Sat Mar 27 2010 - 12:00:05 MDT