----- Original Message -----
From: "Henk-Jan Kloosterman" <proxy@mail.kloosterman.org>
To: "Robert Collins" <robert.collins@itdomain.com.au>; "Henrik Nordstrom" <hno@hem.passagen.se>
Cc: <squid-users@ircache.net>
Sent: Saturday, December 23, 2000 10:54 AM
Subject: Re: [SQU] Authenticate problem:
> Robert Collins wrote:
>
> > Henk-Jan,
> > If you are willing to run up a test copy of squid on a spare machine,
> for you to use (it's not stable code - it is likely to be
> > part of squid 2.5) you could try the auth_rewrite branch of squid. It has
> a bottom up rewrite of squid's internal authentication
> > mechanisms. I left the basic specifics largely untouched, but I'm more
> than happy to dig into them.. If you wanted to try it out
> > it's available from http://squid.sourceforge.net/
> >
> > DO NOT replace your current production squid with it. I'm suggesting you
> you up a local copy and that you test yourself against it
> > to see how it goes.
> >
> > Rob
> I will do that, if it works then: Is it save to trie it in production? I
> also have a "test" production site (I can easily swicth, and between
> christmas and new year I won't have too many users, so if it wokrs for
> myself tommorow could I consider taking it in production?
It's Beta quality code. No warranties, no guarantees. It may crash every 3rd request. No it's not safe, but knowing whether it
solves your problem would give pointers to creating a interim patch for your environment. In reality it is stable for the use I make
of it... but your mileage will vary.
>
> 2. Does it work on a 2.2.STABLE5.1 enviroment?
No. It's built around squid 2.5
see my response later in the mail for a little more info.
>
> > Does the user need a challenge to get the password, or do they just type
> in whats on the token at the time?
>
> They just type in whats on the token at the time.
Cool.
>
> Henrik Nordstrom wrote:
>
> > > Hmm.. maybe there are a proxy_auth cache defiency there. In theory the
> > > first request carrying the new passphrase would be sent to the
> > > authenticator, but maybe all are until the authenticator returns. Need
> > > to check the code on this.
> > >
>
> >I have, and there sure is a small window when the ttl expires which
> >allows for multiple lookups and possibly even a minor proxy_auth cache
> >inconsistency (minor == might repair itself after a while and should
> >have no bad effects apart from a few extra bytes of memory used).
>
> How would it repair itself? Do I have to do something?
No. Henrik meant the squid innards will notice and fix after a short time.
> >It should be at least 3600 seconds from when the user user first was
> >authorized (the proxy_auth helper last returned OK).
>
> Looks like it.
If this is the case then you are seeing expected operation. Each user is being reauthenticated to radius every 36t00 seconds.
> >What you can do until a patch is provided is to further upper the TTL,
> >which is probably a good thing anyway as HTTP is not really designed for
> >password changes like this sporadically (every 3600 seconds) in the
> >middle of a surfing session.
>
> So it looks like to prblem ony occurs to my "heavy" internet users. (And
> that's right!)
> What would be the danger to set the authenticate_ttl to, let say, 8 hours?
>
Your network is vulnerable to internal replay attacks against squid for that username:password combination for 8 hours. That's all.
>
> >a) The browser is in the middle of fetching a page with X objects left
> >to retreive
> >b) The TTL expires, causing Squid to requery the authentication helper
> >which will tell that the password is invalid (still the old password).
> >Squid will then send "407 Proxy authentication required" to all those
> >requests.
> Looks like this!
>
> >c) As the browser has multiple concurrent 407 replies from the proxy, it
> >might well pop up several login dialogs to the user. But this is
> >user-agent implementation details..
>
> ?
Most user agents (browsers) will prompt for password credentials. Henrik was saying that the browser might pop up multiple boxes,
one for each 407. AFAIK neither netscape or IE do this - they assume all the 407's are related and prompt for credentials once, then
try on all the connections.
Rob
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Fri Dec 22 2000 - 17:32:53 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:06 MST