subject:"\[squid\-users\] writing my own authenticator"

Re: [squid-users] writing my own authenticator

2008-03-21 Thread Henrik Nordstrom

On Fri, 2008-03-21 at 15:37 +, paul cooper wrote:
> I think im also confused  about the interaction between the browser, squid
> and external authenticators in spite of reading Ch12 several times.

authentication and external acls is very different things.

authentication is based on information the browser passes in the HTTP
request, identifying the user. The exact details varies depending the
scheme you use.

basic: login+password, as entered by the user in his browser.
digest: login+one time hash, based on login+password entered by the user
in his browser.
ntlm & negotiate: Microsoft authentication blobs, used for automatic
domain authentication, same mechanisms as used between a windows station
and file server.

authentication details is processed by authentication helpers
(auth_param) and these basically returns an "OK/ERR" to Squid.

external acls (external_acl_type) can either use login information
already provided by authentication (%LOGIN, also implicitly requires
authentication), or use it's own out-of-band methods for figuring out
the user using whatever means available to the helper and return this to
Squid if they want. There is no standard out-of-band methods but some
examples can be

- static IP based registry, assigning the user based on which client
station the request comes from. This is what I thought you wanted to do.
- Separate session database keeping track of users per client IP. Used
for example to integrate with various forms+cookie based authentication
services.

Both kinds of helpers runs as slaves to the Squid process, using the
user identity of your Squid, not the requesting user.

> request then goes : squid-> helper . the helper can do what it likes and
> returns a string to squid. if the string is "ERR"  then squid will deny
> access. If it is "OK" then squid allows access to the cache . In addition
> the user=xxx  can also be passed back from the helper to squid.
> 
> Can squid then use this user  as the basis for an ACL ?

Yes.

> so why did my perl example that outputs a file to the  disk not  write the
> file, which it did when executed from the CL. How do i see the data that
> is going to and from the helper and verify its executing the helper as i
> expect.?

If the acl is reached successfully in your http_acces processing then
the helper will be called. But remember that if you use %LOGIN then the
helper is only called AFTER the client has provided successful login
credentials to the proxy using any of the methods you define in
auth_param..

> Sorry to have so many questions. Is there anything that goes into any more
> detail than "Squid - the definitive guide?"

This mailinglist.

Regards
Henrik

Re: [squid-users] writing my own authenticator

2008-03-21 Thread paul cooper

I think im also confused  about the interaction between the browser, squid
and external authenticators in spite of reading Ch12 several times.
it says "..Ch6 lists tokens you can pass from squid -> helper and
"external ACL helper interface allows additional information from helper
to squid  ...as keyword=value pairs.

so browser ->request to squid
the %LOGIN in the external helper examples refers to an authenticated user
obtained by another (squid - exclusively squid???) process (eg NCSA/PAM
etc)

request then goes : squid-> helper . the helper can do what it likes and
returns a string to squid. if the string is "ERR"  then squid will deny
access. If it is "OK" then squid allows access to the cache . In addition
the user=xxx  can also be passed back from the helper to squid.

Can squid then use this user  as the basis for an ACL ?

so why did my perl example that outputs a file to the  disk not  write the
file, which it did when executed from the CL. How do i see the data that
is going to and from the helper and verify its executing the helper as i
expect.?

Sorry to have so many questions. Is there anything that goes into any more
detail than "Squid - the definitive guide?"

Re: [squid-users] writing my own authenticator

2008-03-21 Thread Amos Jeffries


paul cooper wrote:

so ip_user wont actually do what i want ( the book isnt clear actually
what it is there for)  - thanks Henrik

what i want is to get  the currently logged-in user and pass it to squid
which will then authenticate against that with no further dialog boxes etc
 . i can then add eg time-based ACLs


I think you have confused purpose and nature of Authentication.
It's usually done by the browser when requesting web pages.

The standard methods use various authentication headers the browser 
passes to squid containing a user/pass.
Non-standard methods involve squid pulling various details like IP 
address and authenticating based on them instead of user/pass.


All any of the methods do is pass squid an OK/ERR result after 
authenticating to say the request can/not go through.




So i thought id try my own. eventually i suspect i'll use gewtpwuid() and
look up in /etc/passwd.

#!/usr/bin/perl -wl
$|=1;
 my @names=("andrew","anne","nick","emma");
my $username = `whoami` or die "Couldn't execute command: $!";
   chomp($username);
open (F, '>/tmp/data.txt');
print F "$username\n";
close (F);
my $i=0;
while ($i<$#names)
{
if ($names[$i] eq $username){print "OK user=$username";exit;}
$i++;
}
print "ERR";


and this returns  the current user and writes it to the file.


I'd suggest a test version that accepts anything squid sends, logs it 
exactly and says 'OK/ERR' randomly.


Run it for a while to see exactly what you can get from squid and design 
based on that.



Amos



my squid.conf

hepworth andrew # cat /etc/squid/squid.conf |grep ^acl
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl purge method PURGE
acl CONNECT method CONNECT
acl annes external MyAclHelper
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
hepworth andrew # cat /etc/squid/squid.conf |grep ^http
http_access Safe_ports allow
http_access allow annes
http_access deny all
http_port 3128
hepworth andrew # cat /etc/squid/squid.conf |grep ^external
external_acl_type MyAclHelper /etc/squid/myaclhelper
hepworth andrew #

do i need an auth_param directive as well ? if so what ?

so when i request a web page it asks me for a username and password  and
myaclhelper doesnt write the text file. Should it be  doing the
2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
 line ?


hepworth squid # /usr/local/squid/sbin/squid -N -d6
2008/03/21 12:00:16| Starting Squid Cache version 2.6.STABLE18 for
i686-pc-linux-gnu...
2008/03/21 12:00:16| Process ID 19869
2008/03/21 12:00:16| With 1024 file descriptors available
2008/03/21 12:00:16| Using epoll for the IO loop
2008/03/21 12:00:16| Performing DNS Tests...
2008/03/21 12:00:16| Successful DNS name lookup tests...
2008/03/21 12:00:16| DNS Socket created at 0.0.0.0, port 32860, FD 6
2008/03/21 12:00:16| Adding domain home.nw from /etc/resolv.conf
2008/03/21 12:00:16| Adding nameserver 192.168.0.254 from /etc/resolv.conf
2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
2008/03/21 12:00:16| Unlinkd pipe opened on FD 17
2008/03/21 12:00:16| Swap maxSize 102400 KB, estimated 7876 objects
2008/03/21 12:00:16| Target number of buckets: 393
2008/03/21 12:00:16| Using 8192 Store buckets
2008/03/21 12:00:16| Max Mem  size: 8192 KB
2008/03/21 12:00:16| Max Swap size: 102400 KB
2008/03/21 12:00:16| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
2008/03/21 12:00:16| Using Least Load store dir selection
2008/03/21 12:00:16| Current Directory is /etc/squid
2008/03/21 12:00:16| Loaded Icons.
2008/03/21 12:00:16| Accepting proxy HTTP connections at 0.0.0.0, port
3128, FD 19.
2008/03/21 12:00:16| Accepting ICP messages at 0.0.0.0, port 3130, FD 20.
2008/03/21 12:00:16| WCCP Disabled.
2008/03/21 12:00:16| Ready to serve requests.
2008/03/21 12:00:17| Done reading /usr/local/squid/var/cache swaplog (688
entries)
2008/03/21 12:00:17| Finished rebuilding storage from disk.
2008/03/21 12:00:17|   688 Entries scanned
2008/03/21 12:00:17| 0 Invalid entries.
2008/03/21 12:00:17| 0 With invalid flags.
2008/03/21 12:00:17|   688 Objects loaded.
2008/03/21 12:00:17| 0 Objects expired.
2008/03/21 12:00:17| 0 Objects cancelled.
2008/03/21 12:00:17| 0 Duplicate URLs purged.
2008/03/21 12:00:17| 0 Swapfile clashes avoided.
2008/03/21 12:00:17|   Took 0.4 seconds (1801.4 objects/sec).
2008/03/21 12:00:17| Beginning Validation Procedure
2008/03/21 12:00:17|   Completed Validation Procedure
2008/03/21 12:00:17|   Validated 688 Entries
2008/03/21 12:00:17|   store_swap_size = 4320k
2008/03/21 12:00:17| storeLateRelease: released 0 objects








--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

[squid-users] writing my own authenticator

2008-03-21 Thread paul cooper

so ip_user wont actually do what i want ( the book isnt clear actually
what it is there for)  - thanks Henrik

what i want is to get  the currently logged-in user and pass it to squid
which will then authenticate against that with no further dialog boxes etc
 . i can then add eg time-based ACLs

So i thought id try my own. eventually i suspect i'll use gewtpwuid() and
look up in /etc/passwd.

#!/usr/bin/perl -wl
$|=1;
 my @names=("andrew","anne","nick","emma");
my $username = `whoami` or die "Couldn't execute command: $!";
   chomp($username);
open (F, '>/tmp/data.txt');
print F "$username\n";
close (F);
my $i=0;
while ($i<$#names)
{
if ($names[$i] eq $username){print "OK user=$username";exit;}
$i++;
}
print "ERR";


and this returns  the current user and writes it to the file.

my squid.conf

hepworth andrew # cat /etc/squid/squid.conf |grep ^acl
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl purge method PURGE
acl CONNECT method CONNECT
acl annes external MyAclHelper
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
hepworth andrew # cat /etc/squid/squid.conf |grep ^http
http_access Safe_ports allow
http_access allow annes
http_access deny all
http_port 3128
hepworth andrew # cat /etc/squid/squid.conf |grep ^external
external_acl_type MyAclHelper /etc/squid/myaclhelper
hepworth andrew #

do i need an auth_param directive as well ? if so what ?

so when i request a web page it asks me for a username and password  and
myaclhelper doesnt write the text file. Should it be  doing the
2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
 line ?


hepworth squid # /usr/local/squid/sbin/squid -N -d6
2008/03/21 12:00:16| Starting Squid Cache version 2.6.STABLE18 for
i686-pc-linux-gnu...
2008/03/21 12:00:16| Process ID 19869
2008/03/21 12:00:16| With 1024 file descriptors available
2008/03/21 12:00:16| Using epoll for the IO loop
2008/03/21 12:00:16| Performing DNS Tests...
2008/03/21 12:00:16| Successful DNS name lookup tests...
2008/03/21 12:00:16| DNS Socket created at 0.0.0.0, port 32860, FD 6
2008/03/21 12:00:16| Adding domain home.nw from /etc/resolv.conf
2008/03/21 12:00:16| Adding nameserver 192.168.0.254 from /etc/resolv.conf
2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
2008/03/21 12:00:16| Unlinkd pipe opened on FD 17
2008/03/21 12:00:16| Swap maxSize 102400 KB, estimated 7876 objects
2008/03/21 12:00:16| Target number of buckets: 393
2008/03/21 12:00:16| Using 8192 Store buckets
2008/03/21 12:00:16| Max Mem  size: 8192 KB
2008/03/21 12:00:16| Max Swap size: 102400 KB
2008/03/21 12:00:16| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
2008/03/21 12:00:16| Using Least Load store dir selection
2008/03/21 12:00:16| Current Directory is /etc/squid
2008/03/21 12:00:16| Loaded Icons.
2008/03/21 12:00:16| Accepting proxy HTTP connections at 0.0.0.0, port
3128, FD 19.
2008/03/21 12:00:16| Accepting ICP messages at 0.0.0.0, port 3130, FD 20.
2008/03/21 12:00:16| WCCP Disabled.
2008/03/21 12:00:16| Ready to serve requests.
2008/03/21 12:00:17| Done reading /usr/local/squid/var/cache swaplog (688
entries)
2008/03/21 12:00:17| Finished rebuilding storage from disk.
2008/03/21 12:00:17|   688 Entries scanned
2008/03/21 12:00:17| 0 Invalid entries.
2008/03/21 12:00:17| 0 With invalid flags.
2008/03/21 12:00:17|   688 Objects loaded.
2008/03/21 12:00:17| 0 Objects expired.
2008/03/21 12:00:17| 0 Objects cancelled.
2008/03/21 12:00:17| 0 Duplicate URLs purged.
2008/03/21 12:00:17| 0 Swapfile clashes avoided.
2008/03/21 12:00:17|   Took 0.4 seconds (1801.4 objects/sec).
2008/03/21 12:00:17| Beginning Validation Procedure
2008/03/21 12:00:17|   Completed Validation Procedure
2008/03/21 12:00:17|   Validated 688 Entries
2008/03/21 12:00:17|   store_swap_size = 4320k
2008/03/21 12:00:17| storeLateRelease: released 0 objects

Re: [squid-users] writing my own authenticator

Re: [squid-users] writing my own authenticator

Re: [squid-users] writing my own authenticator

[squid-users] writing my own authenticator

4 matches

Site Navigation

Mail list logo

Footer information