Re: [squid-users] out-of-band authentication (like ident but better)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Sep 2014 00:56:25 +1200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/09/2014 10:02 p.m., James Harper wrote:
> I mentioned at the tail of another email, I'd like to see a better
> out-of-band authentication protocol than ident. Such a protocol
> would have:
>
> . a single connection from squid over which all identification
> requests travel. Not one connection per request as with ident. .
> two way authentication (psk or certificate) . encryption (tls) .
> full connection description (src ip, src port, dst ip, dst port) so
> that interception proxy works (ident only exchanges port numbers) .
> optional reverse connection (client connects to squid rather than
> squid connecting to client - only useful for a single proxy server
> but means no firewall exceptions on the client) . probably still
> use port 113 (not that it really matters...)
>
> Does such a thing exist already?

The "external" ACL type runs a (or several) helper programs on
persistent connections which perform arbitrary out-of-band operations
and return to Squid the authorization approval to allow/deny the
transaction.

There is Negotiate authentication. The security tokens are setup
out-of-band and used securely in-band.

I also have a patch implementing OAuth 2.0 Bearer authentication for
Squid. Although it needs some polishing and clients supporting
proxy-auth Bearer seem to be a rarity still. Sponsorship welcome to
get those final steps completed.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUBb55AAoJELJo5wb/XPRjQjUIAL9JK6YCo/2q7a0fQAgLL5qi
ZyKiSaTAaBj5vr2AQQTrrUs2KLrKvt0rEr+EIPXja2ZFArlDkCYbIGCkNC7VuSuI
Ftwa6LJaTq5vuMWn3ih4s00pERKjviSUesxlDJzQZwjNqJtiP69uxbo8EBsGTLVQ
Qs83D8RwNmAi6XyM6U7M6hMYRUZksD9t4WLAfmD5Q+ivDnw5ehIlig6XOPHYnBHM
ObpNaGZ6ZPliK65+FO4fAP+zW6meLPo/Zv2lMOvpjFvVdTb1vH48zqOVr57EAy4a
WlIm8oiAu09VLFNA0Lmry/hs8+qk0fsNNEDx2fFHfFnHULzXFab2FwpSvmfsS3U=
=6RCw
-----END PGP SIGNATURE-----
Received on Tue Sep 02 2014 - 12:56:38 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 02 2014 - 12:00:04 MDT