Hi Henrik and Brian, and happy new year to the squid mailing list !
Hrm. Firefox seems to disagree, at least in it's implementation. Squid
sends "Negotiate" as the authentication mechanism and Firefox responds
with Kerberos.
The Negotiate HTTP scheme is defined by Internet RFC4559 "SPNEGO-based
Kerberos and NTLM HTTP Authentication in Microsoft Windows", which
specifies Kerberos within GSS-API as applied by SPNEGO..
Quote:
The "Negotiate" auth-scheme calls for the use of SPNEGO GSSAPI tokens
that the specific mechanism type specifies.
Relevant RFCs:
RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft
Windows (Negotiate)
RFC4178 The Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism (SPNEGO)
RFC2743 Generic Security Service Application Program Interface Version
2, Update 1. (GSS-API)
Now I am not an expert on how this translates to wire format so I leave
it to you to read and consider if what your Firefox does is sufficient
to meet the specifications or not..
I have been looking for the same setup as you are (transparent
authentication proxy in a full linux environment, ie linux/firefox +
linux/heimdal kerberos + linux/squid) for some time already, and I asked
the same question a few month ago with the same answer (need of a
helper). So I have read this thread with much interest, and think I may
add a few bits of information here.
You have mentionned in a previous post that your firefox was doing
native KRB5 nego instead of SPNEGO/KRB5. It may go back to the original
implementation that can be found at
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html
: <quote>Since we don't have any SPNEGO implementation we are using
directly Kerberos implementation of GSS API". </quote> . I don't know if
spnego has been added since then.
The interesting bit is that the same people have developped an apache
authentication module corresponding to the mozilla negotiation
implementation (http://modauthkerb.sourceforge.net/index.html) . Please
correct me if I'm wrong, but a apache auth module and a squid auth
helper should be quite similar, shouldn't it? Current maintainer of the
apache kerberos auth module is Daniel Kouril, who is working/studying in
a Czesk university. He is working on the myproxy project, whose goal is
to ease the authentication/authorization management using certificates,
especially in grid computing environement. I'll drop him an email to see
if he is interested to collaborate with the squid community.
Cheers,
Denis
Regards
Henrik
--
Denis Cardon
Tranquil IT Systems
10 rue du Docteur Bouchard
49400 Saumur
tel : +33 (0) 2.41.67.56.99
fax : +33 (0) 2.40.56.09.81
mob : +33 (0) 6 81 66 27 62
http://www.tranquil-it-systems.fr
