Re: [squid-users] Squid Kerberos authentication

[Extra Fu]

Hello Malte,

First of all, thanks for your prompt reply.

 at least on Linux it is possible to obtain a valid ticket with the
 kinit command. If you want to integrate it further you should take a
 look at the kerberos PAM-module (libpam-krb5 on debian).

 Firefox is then able to use kerberos to authenticate to Squid. I use
 this kind of setup in a productive environment.

Yep, that's what I thought.

In any case, if the ticket has to be present for things to work (which
is normal), what are the options for Windows users (not logged in on
the domain)? In my case, the real use of the Squid proxy is for users
outside of my network, for letting them access resources for which
their access is limited to my local network (think of a library
proxy).

Since we can't have encryption between the browser and the Squid
proxy, the most secure authentication mechanism has to be used... of
course users could just use the VPN server, but that's an other story
:-/

Thanks,

[squid-users] Squid Kerberos authentication

[Extra Fu]

Hello,

I'm considering dropping the use of NTLM in favor of Kerberos
(auth_param negotiate) to authenticate users against my AD 2003
server. To do this, I would like to use the squid_kerb_auth program.

Prior starting my work on this, I was wondering what would happen for
users not currently logged in on my domain controller (ie., users not
having a valid Kerberos ticket) - for example, users at home or Mac OS
X / Linux users? From my readings, Safari 3/4, Firefox 2+, IE7/8 all
seems to support Kerberos authentication to a Squid proxy but for
clients, it's not clear to me (after reading RFC4559) what will happen
if no ticket is present when the user goes through the Squid proxy.

Will it just fail?

Thanks for any light you can shine on this.

Best regards,