Re: Auth TTL bug

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 09 May 2001 08:27:44 +0200

Only thing I know so far is that I ran with my new LDAP auth module, but
the LDAP server was down so the module reported ERR for any attempt to log
in. After this we could not log in with the accounts tried while the
LDAP server was down, but other accounts worked fine.

It is very easily reproducible. To test it I created an authenticator which
echoes the login information to a pty and then always responds with ERR,
and when trying to login to the proxy the authenticator only receives the
first attempt until either the username or password is different than the
previous request.

Sequence:

test:test sent to the auth helper
test:test NOT sent to the auth helper
test:test NOT sent to the auth helper
test2:test sent to the auth helper
test2:test NOT sent to the auth helper
test2:test2 sent to the auth helper

dummy auth helper used:

#!/bin/sh
while read login password; do
    echo $$ $login $password >>/dev/pty/1
    echo ERR
done

--
Henrik
Robert Collins wrote:
> I'll look into this, it shouldn't be happening. (Only successful logins
> are added to the auth user cache).
>
> Can you give me an example (ie login with good password, change
> password, can't correct the _now_ incorrect password)
>
> Rob
>
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@marasystems.com]
> > Sent: Wednesday, May 09, 2001 12:06 AM
> > To: squid-dev@squid-cache.org
> > Subject: Auth TTL bug
> >
> >
> > Hi.
> >
> > There seems to be a small bug in the new proxy_auth cache.
> >
> > In the old code there was no "negative" caching, this because people
> > need to be able to have their password change and quickly get access.
> > Now "bad" logins seems to be negatively cached somehow, making it more
> > or less impossible to correct a bad password.
> >
> > --
> > Henrik
> >
> >
Received on Wed May 09 2001 - 00:27:40 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:00 MST