Re: [squid-users] Authenticating users with a webpage form

From: S.M.H. Hamidi <hosseinhamidi@dont-contact.us>
Date: Mon, 3 Dec 2007 06:27:55 -0800 (PST)

Dear Mr. Jones,

 I think you are looking for an integration between
some different requirements and integration is somehow
complicated. That is captive portal, caching/proxying
and user accounting.

 Squid hasn't written with a vision to support all of
above requirement. Although they can be added with
some scripting. Another way is to divide your problem
to different parts and use suitable software package
for each. You can make use of Squid for caching and
other packages for authentication, accounting and
authorization.

Regards,

--- Taylor Jones <monitorjbl@gmail.com> wrote:

> I see. So I guess I need to use Hamidi's method: set
> up some webserver
> that unauthenticated users are redirected to, have
> the user submit his
> data to it, have some script on the webserver check
> against the password
> list (in my case LDAP), if the user was valid add
> the user's IP address
> to the proxy server's ACL list, then redirect the
> user to some other
> page so that the proxy accepts the newly
> authenticated user and allows
> him through. I guess I'll need some manner of
> measuring the how long a
> user has been logged in so I can give him a certain
> amount of access
> time. It just seems...kludgy somehow. Maybe its just
> me. It would be
> nice if this were more supported natively by squid,
> but I guess that's
> how guys like Amos make their money! Thanks for all
> your help guys!
>
> Amos Jeffries wrote:
> >> Is there no way to do this securely and in such a
> way that squid is able
> >> to log the IP address of the user? I mean, all I
> really want to do is
> >> ask the same questions of the user, just in a
> slightly different way. It
> >> seems hard to believe that this is so difficult
> in squid, every coffee
> >> shop and airport in the U.S. has something
> similar to this in their wifi
> >> hotspots. I am willing to accept that I may not
> know how it works, so I
> >> will explain what I believe to be the proper
> authentication steps:
> >
> > You misunderstand the basic HTTP/HTTPS
> authentication behaviour of web
> > browsers. Over which you have absolutely no
> control.
> >
> >> 1) User connects to proxy server
> >> 2) Squid sends an authentication request to the
> user with a method
> >> similar to .htaccess in Apache (I am using basic
> ncsa_auth at the
> >> moment, I realize that in digest and NTLM, this
> different and more secure)
> >
> > *nix that. Squid must check source of 'logged-in'
> users, redirecting any
> > not found to the web server for 'authentication'.
> >
> >> 3) User submits his information
> >
> > ** to the 'authenticating' web server via the page
> POST.
> > which gets handled by a out-of-band script
> > which on success then redirects user back to
> original requested page.
> >
> >> 4) Squid uses ncsa_auth to compare the user's
> data with a password list
> >> somewhere on the proxy server
> >
> > * nix this too. proxy CANNOT use HTTP
> authentication for this remember?
> > browsers provide the login box.
> >
> >> 5) If the user is authorized, his IP address is
> added to a list of
> >> authorized users. If no, he is rejected.
> >
> > ** by the 'authenticating' web server via the
> POST.
> >
> > Proxy MUST scan source of 'logged-in' users
> again.. repeat ad infinitum
> > until success or failure blocks the users loop.
> >
> >> If I am right about that, then all I really want
> to do can be done by
> >> slightly modifying step 2, and send a complete
> webpage to the user.
> >> Since I am using basic authentication, I realize
> that the user's
> >> credentials are sent in plain text, so is it
> possible to use SSL in this
> >> scenario? The data is only being sent to the
> proxy server, so there
> >> shouldn't be a problem with any
> men-in-the-middle.
> >
> > Nope, the browsers behaviour on seeing
> browser-level credential request is
> > to send credentials or show the box. There is no
> way you can use any of
> > the *_auth and not have the box.
> >
> > In a way out-of-band authentication is much more
> secure for the proxy
> > interaction part of the cycle and for all traffic
> once a user is
> > authorized.
> > But the authentication web server takes up all the
> usual security holes
> > any other clear-text password mechanism has.
> >
> > Thus, I give away a secure code for the risky bit
> free, with advice
> > available on it. While charging for the config
> part.
> >
> > Amos
> >
> >>
> >> Adrian Chadd wrote:
> >>> You misunderstand how it works.
> >>>
> >>> The browser pops up that box to gather
> authentication credentials it
> >>> then uses for all subsequent connections to the
> proxy server.
> >>>
> >>> Using a login page won't magically place
> authentication credentials
> >>> in the web browser for it to then use for
> subsequent connections.
> >>> The proxy has to track which IP addresses have
> had users log
> >>> and then pass them through.
> >>>
> >>> This has security implications which noone
> really seems to care about...
> >>>
> >>>
> >>>
> >>> Adrian
> >>>
> >>> On Sun, Dec 02, 2007, Taylor Jones wrote:
> >>>> Thanks for the offer, but I'm not looking for a
> way to login, I'm
> >>>> looking for a way to change the way in which
> squid lets users log in.
> >>>> As you know, the user authenticates himself via
> a little pop-up box in
> >>>> his browser. This is fine for most people, but
> like I said, I'm
> >>>> slightly obsessive, and I would like to design
> my own webpage through
> >>>> which the users log in. I could write the
> actual login script myself
> >>>> and implement it with LDAP or MySQL or
> something like that, but I
> >>>> can't figure out how to make squid show a login
> page instead of a
> >>>> login box.
> >>>>
> >>>>
> >>>>> On Dec 1, 2007 10:08 PM, Amos Jeffries
> <squid3@treenet.co.nz> wrote:
> >>>>>> Taylor Jones wrote:
> >>>>>>> Hello,
> >>>>>>>
> >>>>>>> I read the guidelines for this mailing list,
> and I really do hope
> >>>>>>> I'm
> >>>>>>> not asking a question you've all heard a
> million times. If I am,
> >>>>>>> feel
> >>>>>>> free to berate me, I probably deserve it.
> >>>>>>>
> >>>>>>> I am looking for a way to use a webpage with
> a GET/POST form to get
> >>>>>>> the user's name and password for
> authentication instead of the
> >>>>>>> pop-up
> >>>>>>> that the user receives by default. I realize
> that this is just an
> >>>>>>> aesthetic kind of thing, but I'm nothing if
> not obsessive, and I
> >>>>>>> hate
> >>>>>>> that I can't tell a user where he is and
> what he needs to do to gain
> >>>>>>> access to our proxy server. Honestly, this
> shouldn't be that hard to
> >>>>>>> implement, I just don't really know where I
> should start. Any help
> >>>>>>> you
> >>>>>>> guys could give me would be much
> appreciated!
> >>>>>> I'm happy to supply a system.
> >>>>>> http://treenet.co.nz/projects/
> >>>>>>
> >>>>>> The web login code is freeware. The server
> and proxy integration is
> >>>>>> not.
> >>>>>> If you are interested get in touch off-list
> and
=== message truncated ===

      ____________________________________________________________________________________
Be a better sports nut! Let your teams follow you
with Yahoo Mobile. Try it now. http://mobile.yahoo.com/sports;_ylt=At9_qDKvtAbMuh1G1SQtBI7ntAcJ
Received on Mon Dec 03 2007 - 07:28:05 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST