On Friday 13 June 2003 17.44, Leonard Els wrote:
> We have used SQUID since its very early releases here at the School
> of Computer Science, University of Natal, Pietermaritzbug, South
> Africa. However, of late it has become necessary to implement user
> access control and logging.
>
> The simple IDENT is open to spoofing on our Windows clients, so I
> was left investigating other methods. We obviously do not wish to
> recreate a base of thousands of username/passwords just for SQUID,
> so have been looking at LDAP, PAM etc modules to talk to our
> directory services (Netware based). The problem is that allowing
> plaintext (base64) usernames and passwords to travel from the
> browser to SQUID in a student environment where we have billing in
> place for large usage, opens up doors for hackers.
>
> However, I see that even in the latest SQUID dev release, the
> Digest Authentication is lacking a most simple LDAP module.
This is because we know of no backend database for which a Digest
integration would be reasonably possible, and all methods available
today would create non-standard methods.
Digest includes a mode (MD5-sess) intended to be used with separate
backend user databases in a secure manner, but for this to work the
backend database must support MD5-sess. Unfortunately there is no
standard on how to integrate with a MD5-sess capable user database.
Another alternative is if your backend database (i.e. LDAP) would
allow trusted applications access to users plaintext passwords. In
such case all you need to do is to extend the digest password helper
with a small LDAP glue for retreiving the users password from your
LDAP server. (TLS + authentication a must for this to be somewhat
secure in LDAP).
> It was then when I came up with the following thought. Is it
> possible to get squid to issue its OWN SECURE authentication web
> FORM over SSL? This is what Novell's BorderManager product does
> (see jpg insert).
Yes, but this won't be proxy authentication.
By using this method the user authorizes his IP address to use the
proxy for a given period of time. To do this you implement a login
form on some web server, and make the script which accepts logins
from this form then inform Squid or your firewall that the IP address
is not authorized to use the proxy.
> The user then types their credentials into the
> secure FORM, and squid then passes the info on to one of its AUTH
> modules (such as secure LDAP). To me, this seems a better way than
> Digest Authentication or other methods which are still in infancy.
> SQUID obviously has to only do this once for each session (and not
> every page or request), much like the IDENT is already handled in
> SQUID.
>
> Any thoughts? Anyone game to program this?
From a raw security perspective Digest authentication is much more
secure, but as Digest authentication never sees the user password
integration to backend user databases is a bit tricky.
Regards
Henrik
Received on Sat Jun 14 2003 - 07:02:02 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:08 MST