>> I am trying to get squid to prompt me for password before granting
>> access to the internet.
>
> The whole point of NTLM auth is not having to enter the password.
> If you want the password prompt, you need to use basic auth and
> the wb_auth helper.
Please excuse my ignorance. Would passwords
Hi,
> If you only want to allow certain users to access the Internet, take
> a look at the wb_group external acl helper. You can configure it to
> check a certain Windows group, and only allow access to members of
> that group.
I google the net for wb_group but can't seem to find a place to downl
Mueller, Thomas wrote:
>>> But i want only to allow a specific NT Domain group
>> Fully possible. See the wb_group helper.
>>
>>> only specific NT4 Domain Users.
>> Also possible. See the proxy_auth acl type.
>
> Do I have to re-compile Squid then?
> I cannot find the helper after my installation i
Mueller, Thomas wrote:
> So it seems that i have to compile wb_check_group.c into "wb_group",
> but I don't know how, i'm new to linux/squid.
>
> Any hint?
Sorry, I guess my earlier post was somewhat misleading. I did compile squid
to get wb_group, then I copied the wb_group to the original squid
>Please excuse my ignorance. Would passwords be passed in clear text
using
>basic auth? Is there an authentication scheme that works without
clear text.
There are 3 types of auth supported in Squid:
1) Basic auth
- Works with virutally any browser
- Password is sent in clear text
- Passw
i don't think the developers if squid would agree with you on that one. :)
>Quite frankly, if you can use NTLM auth, do it. That is the one feature
>in IE that I wish other browsers would emulate.
http://devel.squid-cache.org/ntlm/client_proxy_protocol.html seems to think
that 'it couldn't ge
Mozilla 1.4 claims to support NTLM authentication.
-Original Message-
From: Adam Aube [mailto:[EMAIL PROTECTED]
Sent: Friday, 11 July 2003 11:41
To: [EMAIL PROTECTED]
Subject: Re: [squid-users] Re: ntlm won't prompt
>Please excuse my ignorance. Would passwords be passed in cl
>Mozilla 1.4 claims to support NTLM authentication.
That would rock. I hope it happens.
Adam
>>Mozilla 1.4 claims to support NTLM authentication.
>
>That would rock. I hope it happens.
Should have checked the Mozilla site before responding - 1.4 has
been out for a week and a half.
Too bad it only works for Windows, but then it would probably be
very difficult to implement under Linux.
On Fri, 2003-07-11 at 12:49, Adam Aube wrote:
> A good compromise would be for Mozilla to prompt for username, password,
> and domain, then use that info to do NTLM. Wouldn't have all the
> benefits of Windows NTLM, but would be more secure than basic and
> wouldn't require cleartext password st
>Digest, per se, doesn't require clear text password storage.
>Squids supplied helper uses cleartext, but that is simply -a-
>implementation. Squid itself never needs the cleartext password.
Technically, yes - digest auth does not require the password to be
stored in cleartext. However, as you po
On Fri, 2003-07-11 at 13:18, Adam Aube wrote:
> >Digest, per se, doesn't require clear text password storage.
> >Squids supplied helper uses cleartext, but that is simply -a-
> >implementation. Squid itself never needs the cleartext password.
>
> Technically, yes - digest auth does not require the
On Friday 11 July 2003 03.16, Norman Zhang wrote:
> Please excuse my ignorance. Would passwords be passed in clear text
> using basic auth?
Yes.
> Is there an authentication scheme that works
> without clear text.
Neither NTLM or Digest passes passwords over the wire.
Of the two Digest is pref
On Friday 11 July 2003 03.41, Adam Aube wrote:
> Quite frankly, if you can use NTLM auth, do it. That is the one
> feature in IE that I wish other browsers would emulate.
The NTLM over HTTP is fundamentally broken in it's design and should
never have seen the light. A classical "do it our way wi
On Friday 11 July 2003 05.18, Adam Aube wrote:
> Furthermore, since knowledge of the clear text password is needed
> to verify the digest sent, the password would need to be stored
> either in clear text or reversible encryption - unless I completely
> misunderstand how digest auth works (which is
On Friday 11 July 2003 04.09, [EMAIL PROTECTED] wrote:
> from a programmers perspective it's probably a pain but from our
> point of view it seems the best.
If you only knew the mess it makes with the HTTP protocol...
NTLM is a proprietary protocol only available on Windows. Others who
want to
> The NTLM over HTTP is fundamentally broken in it's design and should
> never have seen the light. A classical "do it our way without regards
> to standards" invention by Microsoft.
Yes, NTLM is horribly broken - just like almost everything developed by
Microsoft. The only reason I recommend it i
> Well, there's a little project then :}. In point of fact, in 3.0 squid
> can read pre-digested passwords in the supplied helper.
Well, that's good news.
> You completely misunderstand how digest auth works. See RFC 2617 for the
> spec..
Based on the info you provide here, I think I did underst
On Fri, 2003-07-11 at 22:26, Adam Aube wrote:
> Yes, NTLM is horribly broken - just like almost everything developed by
> Microsoft. The only reason I recommend it is because of the single sign
> on capability it offers, that both basic and digest do not offer.
SSO is -not- a property of NTLM. I
> SSO is -not- a property of NTLM. It's a property of the OS and the
> browser. It's fully possible to do SSO with basic (bad because of
> password leak issues) and Digest (quite easy, using MD5-sess).
As I acknowledged later in the message, it can be done with basic or
digest. However, only NTLM
On Fri, 2003-07-11 at 22:39, Adam Aube wrote:
> Based on the info you provide here, I think I did understand it - I just
> didn't know of any implementation that didn't require the cleartext
> password.
K.
> > What is needed to verify the password is the HHA1 (see the spec), which
> > is MD5(use
I'm going to try to summarize the discussion thus far.
NTLM auth is horribly broken, however:
1) It's currently the only auth scheme you can get SSO with
2) It does not send the password in the clear over the wire
Therefore, if you are already running a Windows domain on your
network, you mi
fre 2003-07-11 klockan 14.57 skrev Adam Aube:
> Kerberos would be a good option, because it's fairly universal - UNIX
> variants have supported it for years, and Windows started supporting it
> with Win2k. You would then just need browser support.
And the SPNEGO over HTTP method proposed by Micro
fre 2003-07-11 klockan 15.08 skrev Robert Collins:
> We support nonces, but not client nonces. md5-sess requires client nonce
> support.
Err.. Squid support client nounces, just not capable of trigger md5-sess
HHA1 calculation, and lacks an helper interface for md5-sess HA1
exchanges.
> NT Provi
fre 2003-07-11 klockan 16.41 skrev Henrik Nordstrom:
> * A OS mechanism whereby locally authenticated users can get access
> their own credentials in a secure manner without having to re-enter the
> password. For Digest this interface should provide two operations
>a) Give me a client nounce
> I google the net for wb_group but can't seem to find a place to
> download this. Is this include with Squid-2.5.STABLE1? I take
> it I need to compile squid again if it not found in
> /usr/lib/squid/?
You will need to recompile Squid. Check in the helpers/external_acl
folder of the Squid source
On Sat, 2003-07-12 at 00:51, Henrik Nordstrom wrote:
> fre 2003-07-11 klockan 15.08 skrev Robert Collins:
>
> > We support nonces, but not client nonces. md5-sess requires client nonce
> > support.
>
> Err.. Squid support client nounces, just not capable of trigger md5-sess
> HHA1 calculation,
On Saturday 12 July 2003 00.29, Robert Collins wrote:
> squid can create a md5-sess HHA1 although the code is disabled
actually it could not..
http://skrb.org/ietf/http_errata.html#md5sess_sample
Regards
Henrik
o:[EMAIL PROTECTED]
> Gesendet: Dienstag, 15. Juli 2003 20:54
> An: [EMAIL PROTECTED]
> Betreff: [squid-users] Re: ntlm won't prompt
>
>
> Mueller, Thomas wrote:
> >>> But i want only to allow a specific NT Domain group
> >> Fully possible. See the wb_
> ./configure --enable-external-acl-helpers="winbind_group"
>
> Regards,
> Norman
>
Hi Norman,
It did work fine, thanks for this.
Next Problem :-)
By manual testing the wb_group, i get this message:
\\Domain\username
/wb_group[13694](wb_check_group.c:231): Warning: Can't enum user groups.
ERR
ons 2003-07-16 klockan 10.14 skrev Mueller, Thomas:
> Hi Norman,
>
> Thanks for the info, but i won't find "wb_group" in the
> Original "squid-2.5.STABLE3" from squid-cache.org.
>
> Do you know how to recompile squid to get this helper?
It is there.
helpers/external_acl/winbind_group/
Regards
It is there.
helpers/external_acl/winbind_group/
>
> Regards
> Henrik
>
Hi Henrik,
I only have the following files:
Makefile
-rwxr-xr-x1 1005 root 388 May 16 16:35 Makefile.am
-rw-r--r--1 1005 root10197 May 17 02:16 Makefile.in
-rwxr-xr-x1 1005 root
On Thursday 17 July 2003 18.35, Mueller, Thomas wrote:
> By manual testing the wb_group, i get this message:
>
> \\Domain\username
> /wb_group[13694](wb_check_group.c:231): Warning: Can't enum user
> groups. ERR
The helper wants at least one group name to match.. maybe this is the
cause?
try
\
On Thursday 17 July 2003 23.22, Henrik Nordstrom wrote:
> On Thursday 17 July 2003 18.35, Mueller, Thomas wrote:
> > By manual testing the wb_group, i get this message:
> >
> > \\Domain\username
> > /wb_group[13694](wb_check_group.c:231): Warning: Can't enum user
> > groups. ERR
>
> The helper want
ons 2003-07-16 klockan 14.01 skrev Mueller, Thomas:
> Hi Henrik,
>
> I only have the following files:
> Makefile
> -rwxr-xr-x1 1005 root 388 May 16 16:35 Makefile.am
> -rw-r--r--1 1005 root10197 May 17 02:16 Makefile.in
> -rwxr-xr-x1 1005 root 2913
35 matches
Mail list logo
