Re: [squid-users] Negotiate/NTLM authentication caching

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 28 Mar 2010 20:36:41 +1300

Khaled Blah wrote:
> Hi all,
>
> I'm developing an authentication helper (Negotiate/NTLM) for squid and
> I am trying to understand more how squid handles this process
> internally. Most of all I'd like to know how and how long squid caches
> authentication results. I have looked at the debug logs and they show
> that squid seems to do "less caching" for Negotiate/NTLM than it does
> for Basic/Digest authentication. I am wondering whether I can do
> something about this so that a once verified user will only get his
> credentials re-verified after a certain time and not all during. I am
> grateful to any insight the list can give me. Thanks in advance!
>
> Khaled

NTLM does not authenticate a user per-se. It authenticates a TCP link to
a some form of account (user being only one type). Squid holds the
authentication credentials for as long as the authenticated TCP link is
open. It challenges the browser on any requests without supplied
credentials, and re-verifies on every new link opened or change in
existing credentials.

Caching NTLM credentials for re-use on TCP links from specific IP
addresses has always been a very risky business. As the world is now
moving further towards NAT and proxy gateways a single IP address can
have multiple requests from multiple clients. This makes caching NTLM
credentials an even worse prospect in future than it is now or ever before.

What we are doing in Squid-3 now is improving the HTTP/1.1 support which
enables TCP links to be held open under more conditions than HTTP/1.0
allows and thus the length of time between credential checks to be
lengthened without loosing security.

I can tell you now that any patches to do with caching credentials will
be given some very strict checks even to be considered for acceptance
into Squid.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18
Received on Sun Mar 28 2010 - 07:36:48 MDT

This archive was generated by hypermail 2.2.0 : Sun Mar 28 2010 - 12:00:06 MDT