Re: [squid-users] squid and authentication

From: Amos Jeffries <>
Date: Fri, 10 Aug 2012 17:41:55 +1200

On 10/08/2012 5:59 a.m., Eugene M. Zheganin wrote:
> Hi.
> I'm using squid for more than 10 years for now.
> I wrote a couple of articles about it.
> But there are still some basic things about it that I don't understand.
> Or, I don't know, some things about proxy authentication.
> I know I will look silly, but I still decided to ask.
> I decided to ask here, not because I'm sure it's a squid issue (I
> guess it's not) but because I think you guys have answered a lot of
> stupid questions "why my authentication does'nt work".
> So. I imagine I have set up some authentication schemes. Basic, NTLM,
> doesn't matter.

Yes it does. The model for thos two types of auth is *extremely*
different, and affects things such as where credentials can be located,
stored, or re-used. Which all have a great affect on the behaviour.

> Imagine I have mozilla on some UNIX operating system. I launch it, I
> see that it's NTLM since it doesn't show the realm (and basic of
> course does) then I enter my credentials (I guess it's okay for unix,
> as mozilla on windows domain machine doesn't ask for it, so it must be
> some issue in NTLM/mozilla/samba or whatever), then it's okay until
> some point. But sooner or later Firefox (and Mozilla previously) will
> reask about my credentials. This happens a lot on UNIX OSes, and
> mostly with Mozilla. This happens though with Chrome, but not that often.
> What is it ? How long the credentials do stay in squid's cache ?

There are several caches involved. The OS (where Basic vs NTLM matters),
Mozillas, Squids credential cache (where Basic vs NTLM matters), and
Squid helper lookup cache, any backend authentication system caches
(PAM, SASL, LDAP, etc may use some).

As you can see the OS and Squid have scheme-specific limitations.

> I know about 'credentialsttl' for basic scheme, but there's no such
> option for NTLM. I've read the RFC 2617 and I dumped the HTTP sessions
> of client browsers with my proxy, but I didn't find the answer on a
> question "why the authentication popup reappears" - the RFC says
> nothing about reasking or keeping the explicit cache. One more
> question - why the browser cannot simply and silently resend the
> authentication, - all the browsers I've seen show the authentication
> popup again, so I think this is some common approach and not the
> browser developer conspiracy.

They can. The popup is a browser GUI feature, there is no spec. It only
means that Squid asked for credentials, and the browser did not know
what to supply.

That might be because the browser has several options available and
can't choose. Or that somehow it believes the ones its got wont work. Or
that it cant find any.

The scheme-specific difference at the Squid end of the connection
determine what happens there.

Making a request (new connection - no credentials given):
  * NTLM credentials are requested from the browser and the multi-legged
auth sequence started when it responds with stage-1 credentials.
  * Basic credentials a shared cache is used to only re-validate
credentials after that credentialsttl timeout.

Making a request (new connection - WITH new credentials given):
  * NTLM Squid checks the helper to verify the token and uses its output
to determin whether to accept or continue the multi-legged auth sequence
  * Basic Squid checks the helper to verify the token.

After validation the credentials get stored by Squid:
  * NTLM credentials are linked to a connection and last as long as that
connection is alive. It is a form of caching, but without any fixed TTL.
And does not permit TCP connection 1 to re-use credentials from
connection 2 etc.
  * Basic credentials a shared cache of known credentials. Has a fixed
TTL. Any request from any connection may replay trusted credentials and
be accepted.

The browser is required to re-send the auth token on every request
regardless of scheme:
  * NTLM checks that it is unchanged from what got attached to the
connection. Aborts the connection with an auth re-challenge if it has.
  * Basic does a full validation (short-circuited by the Squid users
cache). Performing an auth re-challenge if it is unknown credentials.

Each credentials has a TTL:
  * NTLM this is connection closure so they are just erased.
  * Basic re-validates the credentials token with the backend helper.
The client/browser is only informed (via auth challenge) if the
credentials fail to validate at this point.

... well when its working properly anyway.

As you can see Squid only challenges until specific circumstances. One
of these is happening when the browser logics end with a popup.

Received on Fri Aug 10 2012 - 05:42:10 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 10 2012 - 12:00:02 MDT