RE: [SQU] Credentials forwarding?

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Tue, 9 Jan 2001 09:13:58 +0100

Of course that system MUST NOT be the only one used
by the upstream server. Instead, IPaddress-based
ACLs SHOULD be used for that purpose. This system's
purpose is ONLY credentials forwarding.

-- 
	/kinkie 
> -----Original Message-----
> From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> Sent: Tuesday, January 09, 2001 1:04 AM
> To: Henrik Nordstrom; Chemolli Francesco (USI)
> Cc: squid-dev@squid-cache.org
> Subject: RE: [SQU] Credentials forwarding?
> 
> 
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@hem.passagen.se]
> > Sent: Tuesday, 9 January 2001 10:48 AM
> > To: Chemolli Francesco (USI)
> > Cc: squid-dev@squid-cache.org
> > Subject: Re: [SQU] Credentials forwarding?
> > 
> > 
> > Chemolli Francesco (USI) wrote:
> > 
> > > > A better choice is perhaps to translate it to basic 
> with a shared
> > > > secret password... this has the benefit that it is a 
> > known mechanism
> > > > which is well understood by servers.
> > > 
> > > That might work. Maybe some magic in the cache_peer options (i.e.
> > > login=@USER@:sharedpassword)
> > 
> > what about login=*:password. Looks better I think ;-)
> > 
> > Implementing it should be pretty simple. One or two lines.
> > 
> > /Henrik
> > 
> > 
> 
> The problem is, it's vulnerable to replay attacks. 
> 
> Re: implementing
> -Sure as a quick hack it'll get the username to the upstream server,
> which then needs to be told something like
> acl foo proxy_auth PASSEDTHROUGH
> so that it doesn't try to authenticate externally every usercode, and
> instead trusts the downstrem.
> 
> Rob
> 
Received on Tue Jan 09 2001 - 02:01:33 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:14 MST