Re: [squid-users] generic kerberos support in 2.6?

[Cardon Denis]

Hi again,
I have been looking for the same setup as you are (transparent 
authentication proxy in a full linux environment, ie linux/firefox + 
linux/heimdal kerberos + linux/squid) for some time already, and I 
asked the same question a few month ago with the same answer (need of 
a helper). So I have read this thread with much interest, and think I 
may add a few bits of information here.


You have mentionned in a previous post that your firefox was doing 
native KRB5 nego instead of SPNEGO/KRB5. It may go back to the 
original implementation that can be found at 
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html 
: Since we don't have any SPNEGO implementation we are using 
directly Kerberos implementation of GSS API".  . I don't know 
if spnego has been added since then.
I answer to my own question here. According to the tutorial 
http://www.grolmsnet.de/kerbtut/ (Using mod_auth_kerb and Windows 
2000/2003 as KDC), mod_auth_kerb can serve IE clients. So I guess it 
must be able to handle SPNEGO.


Cheers,

Denis




The interesting bit is that the same people have developped an apache 
authentication module corresponding to the mozilla negotiation 
implementation (http://modauthkerb.sourceforge.net/index.html) . 
Please correct me if I'm wrong, but a apache auth module and a squid 
auth helper should be quite similar, shouldn't it? Current maintainer 
of the apache kerberos auth module is Daniel Kouril, who is 
working/studying in a Czesk university. He is working on the myproxy 
project, whose goal is to ease the authentication/authorization 
management using certificates, especially in grid computing 
environement. I'll drop him an email to see if he is interested to 
collaborate with the squid community.


Cheers,

Denis




Regards
Henrik
  






--
Denis Cardon
Tranquil IT Systems
10 rue du Docteur Bouchard
49400 Saumur
tel : +33 (0) 2.41.67.56.99
fax : +33 (0) 2.40.56.09.81
mob : +33 (0) 6 81 66 27 62
http://www.tranquil-it-systems.fr

Re: [squid-users] generic kerberos support in 2.6?

[Cardon Denis]

Hi Henrik and Brian, and happy new year to the squid mailing list !

Hrm.  Firefox seems to disagree, at least in it's implementation.  Squid
sends "Negotiate" as the authentication mechanism and Firefox responds
with Kerberos.


The Negotiate HTTP scheme is defined by Internet RFC4559 "SPNEGO-based
Kerberos and NTLM HTTP Authentication in Microsoft Windows", which
specifies Kerberos within GSS-API as applied by SPNEGO..

Quote:
   The "Negotiate" auth-scheme calls for the use of SPNEGO GSSAPI tokens
   that the specific mechanism type specifies.

Relevant RFCs:

RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft
Windows (Negotiate)

RFC4178 The Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism (SPNEGO)

RFC2743 Generic Security Service Application Program Interface Version
2, Update 1.  (GSS-API)

Now I am not an expert on how this translates to wire format so I leave
it to you to read and consider if what your Firefox does is sufficient
to meet the specifications or not..
  
I have been looking for the same setup as you are (transparent 
authentication proxy in a full linux environment, ie linux/firefox + 
linux/heimdal kerberos + linux/squid) for some time already, and I asked 
the same question a few month ago with the same answer (need of a 
helper). So I have read this thread with much interest, and think I may 
add a few bits of information here.


You have mentionned in a previous post that your firefox was doing 
native KRB5 nego instead of SPNEGO/KRB5. It may go back to the original 
implementation that can be found at 
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html 
: Since we don't have any SPNEGO implementation we are using 
directly Kerberos implementation of GSS API".  . I don't know if 
spnego has been added since then.


The interesting bit is that the same people have developped an apache 
authentication module corresponding to the mozilla negotiation 
implementation (http://modauthkerb.sourceforge.net/index.html) . Please 
correct me if I'm wrong, but a apache auth module and a squid auth 
helper should be quite similar, shouldn't it? Current maintainer of the 
apache kerberos auth module is Daniel Kouril, who is working/studying in 
a Czesk university. He is working on the myproxy project, whose goal is 
to ease the authentication/authorization management using certificates, 
especially in grid computing environement. I'll drop him an email to see 
if he is interested to collaborate with the squid community.


Cheers,

Denis




Regards
Henrik
  



--
Denis Cardon
Tranquil IT Systems
10 rue du Docteur Bouchard
49400 Saumur
tel : +33 (0) 2.41.67.56.99
fax : +33 (0) 2.40.56.09.81
mob : +33 (0) 6 81 66 27 62
http://www.tranquil-it-systems.fr

Re: [squid-users] generic kerberos support in 2.6?

[Henrik Nordstrom]

ons 2006-12-20 klockan 07:47 -0500 skrev Brian J. Murrell:

> Hrm.  Firefox seems to disagree, at least in it's implementation.  Squid
> sends "Negotiate" as the authentication mechanism and Firefox responds
> with Kerberos.

The Negotiate HTTP scheme is defined by Internet RFC4559 "SPNEGO-based
Kerberos and NTLM HTTP Authentication in Microsoft Windows", which
specifies Kerberos within GSS-API as applied by SPNEGO..

Quote:

   The "Negotiate" auth-scheme calls for the use of SPNEGO GSSAPI tokens
   that the specific mechanism type specifies.

Relevant RFCs:

RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft
Windows (Negotiate)

RFC4178 The Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism (SPNEGO)

RFC2743 Generic Security Service Application Program Interface Version
2, Update 1.  (GSS-API)


Now I am not an expert on how this translates to wire format so I leave
it to you to read and consider if what your Firefox does is sufficient
to meet the specifications or not..

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] generic kerberos support in 2.6?

[Brian J. Murrell]

On Wed, 2006-12-20 at 11:06 +0100, Henrik Nordstrom wrote:
> 
> The Negotiate scheme is SPNEGO by definition.

Hrm.  Firefox seems to disagree, at least in it's implementation.  Squid
sends "Negotiate" as the authentication mechanism and Firefox responds
with Kerberos.

> Native KRB5 is the Kerberos scheme..

I see.  I wonder, given that Firefox sends native KRB5 with Negotiate if
it will even recognize Kerberos as a mechanism?

> But adding a native Kerberos interface to ntlm_auth would make sense as
> well, much like it has a native NTLM interface. Skipping SPNEGO.

Perhaps.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] generic kerberos support in 2.6?

[Henrik Nordstrom]

mån 2006-12-18 klockan 23:41 -0500 skrev Brian J. Murrell:

> Indeed.  And it can be done, I think, by adding native KRB5 support to
> ntlm_auth (right now ntlm_auth assumes everything will be wrapped in
> SPNEGO), but it would be less hacking there if Firefox could be
> convinced to use SPNEGO on non-windows platform, even when all it has
> are KRB5 (or any other non MS specific) credentials.

The Negotiate scheme is SPNEGO by definition.

Native KRB5 is the Kerberos scheme..

But adding a native Kerberos interface to ntlm_auth would make sense as
well, much like it has a native NTLM interface. Skipping SPNEGO.

But we do not yet have support for the Kerberos scheme in Squid. But
it's just to make a copy of Negotiate and rename it to Kerberos..

Regards
Henrik




signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] generic kerberos support in 2.6?

[Robert Collins]

On Tue, 2006-12-19 at 12:14 +0800, Adrian Chadd wrote:
> 
> 
> I think we'd all agree that being able to offer digest authentication
> in this
> method to non-Windows platforms would be rather shiny. 

digest as in rfc2617? Or did you mean kerberos ?:).

SPNEGO is the closest thing to a standard going, but its gawddamn fugly.

If we're going to push for a standard for kerberos, for non-windows
clients, lets try to aim for something like rfc2617 which does not
require pinned connections?

-Rob

-- 
GPG key available at: .


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] generic kerberos support in 2.6?

[Adrian Chadd]

On Mon, Dec 18, 2006, Brian J. Murrell wrote:

> > I think we'd all agree that being able to offer digest
> 
> digest or Negotiate?

:) Probably the latter; I'm still not up to date on how the various
non-basic authentication methods work.

> Indeed.  And it can be done, I think, by adding native KRB5 support to
> ntlm_auth (right now ntlm_auth assumes everything will be wrapped in
> SPNEGO), but it would be less hacking there if Firefox could be
> convinced to use SPNEGO on non-windows platform, even when all it has
> are KRB5 (or any other non MS specific) credentials.

It sounds like a perfect candidate for a google summer of code type deal..




adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -

Re: [squid-users] generic kerberos support in 2.6?

[Brian J. Murrell]

On Tue, 2006-12-19 at 12:14 +0800, Adrian Chadd wrote:
> On Mon, Dec 18, 2006, Brian J. Murrell wrote:
> > 
> > This is probably staring to grow a little OT for this list though.
> 
> Nope, its definitely not off-topic for the list.

I think I just meant the discussion on "how to make firefox on linux do
spnego" bits as being OT.  Maybe that is not even OT.  Seemed it to me,
but I am just a newcomer though.

> I think we'd all agree that being able to offer digest

digest or Negotiate?

> authentication in this
> method to non-Windows platforms would be rather shiny.

Indeed.  And it can be done, I think, by adding native KRB5 support to
ntlm_auth (right now ntlm_auth assumes everything will be wrapped in
SPNEGO), but it would be less hacking there if Firefox could be
convinced to use SPNEGO on non-windows platform, even when all it has
are KRB5 (or any other non MS specific) credentials.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] generic kerberos support in 2.6?

[Adrian Chadd]

On Mon, Dec 18, 2006, Brian J. Murrell wrote:
> On Sat, 2006-12-16 at 21:21 -0500, Brian J. Murrell wrote:
> > 
> > Probably, a helper supporting this native KRB5 blob is ideal,
> 
> It has further occurred to me, that ntlm_auth *has* to be the helper
> that supports this native KRB5 Negotiate goop, unless one can ensure
> that no AD authenticating windows clients will be part of the network.
> 
> I wonder what the chances any normal office type setting can make that
> guarantee?
> 
> Does not wanting to use an MS server for the authentication really
> preclude the use of SPNEGO?  I.e. is there any good reason why a browser
> on Linux delivering simply KRB5 credentials *cannot* wrap it all in
> SPNEGO?  It sure would make things easier if it could/should.  Maybe
> some gecko code analysis is needed.  ~sigh~
> 
> This is probably staring to grow a little OT for this list though.

Nope, its definitely not off-topic for the list.

I think we'd all agree that being able to offer digest authentication in this
method to non-Windows platforms would be rather shiny.




Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -

Re: [squid-users] generic kerberos support in 2.6?

[Brian J. Murrell]

On Sat, 2006-12-16 at 21:21 -0500, Brian J. Murrell wrote:
> 
> Probably, a helper supporting this native KRB5 blob is ideal,

It has further occurred to me, that ntlm_auth *has* to be the helper
that supports this native KRB5 Negotiate goop, unless one can ensure
that no AD authenticating windows clients will be part of the network.

I wonder what the chances any normal office type setting can make that
guarantee?

Does not wanting to use an MS server for the authentication really
preclude the use of SPNEGO?  I.e. is there any good reason why a browser
on Linux delivering simply KRB5 credentials *cannot* wrap it all in
SPNEGO?  It sure would make things easier if it could/should.  Maybe
some gecko code analysis is needed.  ~sigh~

This is probably staring to grow a little OT for this list though.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] generic kerberos support in 2.6?

[Brian J. Murrell]

OK.

I sat down to do some hacking of ntlm_auth and came to an interesting
discovery...

Firefox in Linux does not appear to actually use SPNEGO when it's told
to use Negotiate (i.e. by setting the
network.negotiate-auth.{delgation,trusted}-uris.  Or at least I could
not find any magic keys to make it do it.

What Firefox on Linux DOES do, is send native "KRB5 - Kerberos 5" (OID
1.2.840.113554.1.2.2 vs. OID 1.3.6.1.5.5.2 which is for SPNEGO) data in
the Negotiate blob -- and ntlm_auth appears to be completely unable to
handle this -- unsurprisingly.

Probably, a helper supporting this native KRB5 blob is ideal, but for
easier hacking of the ntlm_auth helper, if anyone knows how to force
Firefox on Linux to wrap the Negotiate goop in SPNEGO, I'd appreciate
knowing how.

Now on to other avenues of exploration with Negotiate.

Cheers,
b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] generic kerberos support in 2.6?

[Henrik Nordstrom]

mån 2006-12-11 klockan 23:37 -0500 skrev Brian J. Murrell:

> But my suggestion of using ntlm_auth was not so much in it's binary form
> but as a source of SPNEGO handling.  IIUC, ntlm_auth takes the SPNEGO
> blob from the client via squid and unpacks it and does the NTLM auth
> with the MS Goop(tm) doesn't it?

It does, but it also does the Kerberos Goop(tm) when it was a Kerberos
request and not NTLM...

For those unaware of the protocols SPNEGO is a Microsoft wrapper around
all the other security service providers in Windows, allowing client and
server to negotiate which authentication scheme to use. As such it
encapsulates both NTLM and Kerberos authentication. In HTTP Microsoft
for some reason calls this wrapper scheme for Negotiate while everywhere
else it's SPNEGO from the wrapper security service provider name..

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] generic kerberos support in 2.6?

[Brian J. Murrell]

On Tue, 2006-12-12 at 05:29 +0100, Henrik Nordstrom wrote:
> 
> In theory it may be possible to use Samba ntlm_auth without an ADS
> setup.

Yeah, I had wondered too if ntlm_auth could be used with Samba
configured to use either PAM locally, which would use kerberos or if
Samba had any direct kerberos support in it (doubtful).  Doesn't
ntlm_auth with spnego need samba >-4 though?

> But I don't know if it will work or how one configures Samba for
> such setups.

Indeed.  Certainly if one has Samba already configured and in use, it
would hopefully not be much more, but to install and configure Samba
just for squid is a bit much -- I suppose if one really wants SSO
though.

But my suggestion of using ntlm_auth was not so much in it's binary form
but as a source of SPNEGO handling.  IIUC, ntlm_auth takes the SPNEGO
blob from the client via squid and unpacks it and does the NTLM auth
with the MS Goop(tm) doesn't it?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


signature.asc
Description: This is a digitally signed message part

Re: [squid-users] generic kerberos support in 2.6?

[Henrik Nordstrom]

mån 2006-12-11 klockan 18:54 -0500 skrev Brian J. Murrell:

> Wouldn't an existing helper, like the ntlm_auth helper in Samba be of
> use?  Does it not take the SPNEGO data from the browser and hand it off
> to some MS Goop(tm) for an authentication response?  That would at least
> take care of the SPNEGO stuff, no?

In theory it may be possible to use Samba ntlm_auth without an ADS
setup. But I don't know if it will work or how one configures Samba for
such setups.

Regards
Henrik


signature.asc
Description: Detta är en digitalt signerad	meddelandedel

Re: [squid-users] generic kerberos support in 2.6?

[Brian J. Murrell]

On Mon, 2006-12-11 at 00:11 +0100, Henrik Nordstrom wrote:
> 
> What is missing is the helper...

Indeed.  I think that is basically what I summarized in my followup
e-mail.  Pity.

> None of the squid developers knows Kerberos APIs or Microsoft SPNEGO
> packet format to write such helper, but we would be happy to guide
> anyone knowing the Kerberos and SPNEGO side of things how to interface
> with Squid.

Wouldn't an existing helper, like the ntlm_auth helper in Samba be of
use?  Does it not take the SPNEGO data from the browser and hand it off
to some MS Goop(tm) for an authentication response?  That would at least
take care of the SPNEGO stuff, no?

> It's not a difficult thing at all if you have a SPNEGO
> authentication backend.

Indeed.  Ten+ years ago and I'd be coding this up.  Unfortunately so
many other constraints on my time limit my hacking time these days.

'Tis a pity that this is the only piece missing.

Much appreciate your input on answering this though.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


signature.asc
Description: This is a digitally signed message part