RE: [SQU] authenticationing

From: Robert Collins <robert.collins@dont-contact.us>
Date: Thu, 16 Nov 2000 12:42:53 +1100

Heres how it goes. (I really really must write some FAQ doco for the
ntlm branch.) In fact I'll write the body of this as a backgrounder...
So please excuse the waay back starting point.

Firstly the background to squid and authentication:

HTTP authentication works with two distinct sets of servers:
* Origin servers
* Proxy servers

For each server type, only a single authentication set can be used in
any one request, for any given URI. This means that within http you
_cannot_ have a different username for two proxies in a row.
* Intercepting proxies (a.k.a. transparent proxies) cannot use
proxy-authentication because the client _thinks_ that the challenging
server is the origin server not the proxy server (which it doesn't know
exists).

HTTP defines multiple authentication _schemes_. When a server challenges
a client to authenticate it offers a list of schemes, and the client
chooses the scheme it wants to use to login. (The client _should_ choose
the most secure scheme it understands). The client then presents a
single authentication header to that server with the users credentials
(encoded under that authentication scheme).

How does squid work with this?

Squid can act as the origin server (for www acceleration) and prompt for
authentication. More commonly though squid acts as a standard proxy and
prompts for proxy-authentication.

In the standard squid branch(s) squid challenges with a single
authentication scheme (Basic) when it is checking a proxy_auth acl. You
can only define one helper for a given authentication scheme. (If you
had more than one helper there is no way to tell which helper to use.)

In the ntlm squid branch squid
* Only challenges with an authentication scheme if
  a) a helper for that scheme is defined
  b) the request needs to be checked against a proxy_auth acl
* Supports the
  basic authentication scheme and the
  ntlm authentication scheme

What if one scheme denies the user, can they try the other?
Yes and no :-/. Squid has _no_ control over what schemes a client may
try. It does offer the schemes that it supports (and has helpers defined
for), and most clients should present a user password box for the user
if the login fails the first time.
However having said that, MSIE will NOT switch to basic authentication
if NTLM is offered as a challenge. It will offer a user/password/domain
dialog box though.

How do I get squid-ntlm?
Use CVS and download it from the sourceforge cvs repository (see
http://squid.sourceforge.net). There is no daily snapshot happening at
the moment. If you don't have access to cvs (it is free software and
available on (AFAIK) every platform that squid runs on) then download
the patch (see http://squid.sourceforge.net/projects.html) and apply
that to the latest squid 2.4 daily snapshot. It should apply cleanly.

Do I need to do to build it?
* Run autoconf and autoheader in the root of the source tree.
* If you got the source via cvs unpack the icons -
  cd icons
  sh ./icons.shar

You are now ready to treat it like a standard download of the squid
source.
When you run the configure script, use --enable-ntlm-auth-modules=
option to compile one or more NTLM authentication helpers. (You can only
use one at a time, but building the different ones will give you some
flexability for testing).
If you want to use Basic authentication at the same time (say for
Netscape or Lynx users) use --enable-auth-modules= option to compile an
appropriate basic auth module for yuor environment.

No other special options are needed.

Configuring squid-ntlm - how do I _use it_.
If you are migrating from an older squid.conf file, you will not see the
new options. Look in squid.conf.default and you will see three new
config options:
# authenticate_program_ntlm
# authenticate_children_ntlm 5
# authenticate_cache_garbage_interval 1 hour

To enable ntlm authentication you _must_ set the
authenticate_program_ntlm. It works the same was as
authenticate_program. Set the path to the helper, and any command line
parameters the helper needs.

Most users will _not_ need to tune the garbage collection interval. This
means *DO NOT TOUCH*.

You also need to set a proxy_auth acl and have it listed in at least one
http_access line. NTLM retrieved Usernames are returned in the form
domain\username. Note that this is in lower case.

---- end of draft faq----

So rick to answer your question
Yes it's true that you cannot use two auth_modules at once. However you
CAN use an auth_module (basic scheme) and a ntlm_auth_module (ntlm
scheme) at once.

Fallback is up to the client however.

Consider this (I am not going to type 5 header line extracts, so I am
just going to paraphrase http...
Client (GET): I want http://someurl
Squid (407): Who are you? Tell me using Basic or NTLM
Client (GET): Using Basic I am john:doe.

At this point squid will reject the credentials, or accept them, and
then reject or allow the request based on the ACL. If the credentials
get rejected squid sends
Squid (407): Who are you? Tell me using Basic or NTLM
again. So its 100% up to the client to retry with basic, retry with NTLM
or just give up.

The different schemes use different data. Squid CANNOT try to login
using a basic scheme helper if an NTLM based request fails to login (and
vice verca).

Rob

> -----Original Message-----
> From: Rick Francis [mailto:rfrancis@mindspring.com]
> Sent: Thursday, 16 November 2000 10:48 AM
> To: squid-users@ircache.net
> Subject: [SQU] authenticationing
>
>
> if you will respond -
>
> i want to configure squid to use the ntlm module; what
> exactly do i need to
> do this and where can i get them.
>
> i've tried sourceforge and squid-cache.org without any direct answer.
>
> also, it is true that i cannot use two auth_modules
> simultaneously, such
> that pam_auth would kick in when auth_ntlm is not detected or fails??
>
> thank you much, rf.
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Nov 15 2000 - 18:48:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:24 MST