Re: [squid-users] strong authentication method

From: Kevin <kkadow@dont-contact.us>
Date: Thu, 16 Jun 2005 12:13:02 -0500

On 6/16/05, Emilio Salgari <mustyc@hotmail.com> wrote:
> I have squid perfectly running on a linux server.
> Till now, since this server has only a private IP address I have put no
> authentication for my clients (inside lan) using squid.
> In the next days I will give a public static IP address to this machine but
> I want that only MY clients can access my proxy (my clients will have public
> dinamic IP addresses, since they will connect from outside lan).
> My clients are on a win2000 or winxp box.

If your clients are members of a Windows domain, you might look at
Winbind: http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc23.5

Another option would be to have your clients bring up a Windows VPN
tunnel to your squid server, and use strong authentication on the tunnel,
this way the "outside" users look the same to squid as "inside" users.

Or you could use SSH, either by taking advantage of the port forwarding
features of SSH, or by using something akin to OpenBSD's "authpf" so
that when your customers bring up a SSH session from the Internet,
packet filter rules are updated on the server which permit their source IP
to access the proxy server so long as their SSH session is up.

> What kind of strong authentication method should I use?
> Is there something stronger than simple username-password?

1) Something your users and your squid server can deal with.
2) Stronger methods include SSL certificates, Challenge-Response,
and one time passwords (OTP) such as OPIE(S/Key), SecurID, etc.

It can be difficult to get Squid to support a strong authentication
scheme directly. The core of the problem is that when using an
authenticated non-transparent proxy, "The browser authenticates
on behalf of the user on every request sent to Squid." This requires
the browser to cache and reuse credentials, but the whole point of
OTP is that the passcodes are not reusable.

Kevin Kadow
Received on Thu Jun 16 2005 - 11:13:51 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT