Re: [SQU] Credentials forwarding?

From: Robert Collins <robert.collins@dont-contact.us>
Date: Tue, 19 Dec 2000 15:02:49 +1300

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Chemolli Francesco (USI)" <ChemolliF@GruppoCredit.it>
Cc: <squid-dev@squid-cache.org>
Sent: Tuesday, December 19, 2000 10:17 AM
Subject: Re: [SQU] Credentials forwarding?

> Chemolli Francesco (USI) wrote:
>
> > I fear not. Think what happens with NTLM: in this case the only
> > kind of forwarding you can do is pass-through.
> > This works, of course, but still doesn't work for my needs. An
> > X-Squid-Authenticated-User: username
> > and
> > X-Squid-Originating-Client: ip_address
>
> A better choinse is perhaps to translate it to basic with a shared
> secret password... this has the benefit that it is a known mechanism
> which is well understood by servers.
>
> As I said the whole concept of how to configure accelerators should be
> reworked, preferably using the cache_peer concept which would add space
> for options like this amongs other things..
>

The goal is to allow the upstream cache to know the user name, without it
needing to perform external authentication, and without allowing users to
connect directly to the upstream cache and spoof or replay the credentials
of another user.

The basic scheme is out of the question. (susceptible to replay & secret
sniffing).
 Could the downstream cache login to the upstream cache on each requst with
the appropriate username & a cache-shared secret using digest
authentication? Yes.
Does that solve the replay issue. Yes.
Would NTLM/Kerberos perform the same service? Yes... but Digest in HTTP is
now an rfc.
But now the upstream cache has a separate user database than the downstream
cache, so no user can connect directly and authenticate without knowing the
cache-cache secret.
Thus my suggestion of a Digest based cache-cache authentication that does
not collide with client-cache authentication. The downside as you point out
is that it is unknown to the internet at large. However as upstream caches
that don't support it would just ignore it, it wouldn't break anything, and
if thought out clearly enough we could put forward a specification...

BTW: This aspect of the thread is not about acceleration - its about cache
hierarchies and logging of user details at the top of the hierarchy.

Rob
Received on Mon Dec 18 2000 - 19:09:08 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:05 MST