Re: password reload trigger (patch included)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 09 Nov 1997 23:22:41 +0100

Armistead, Jason wrote:

> So, if we want to change the code, what would be a more "reasonable"
> time period, balancing the check versus the overhead of reloads ? The
> real "catch" is that a user who does change his password can't then use
> the proxy for sites requiring authentication for at worst case 5 minutes

Atleast 1.2b5 has this bit of tuning built into squid.conf (as a
argument to the proxy_auth ACL line) so there is no need to fiddle
around with the source.

If you are using CGI scripts (or other interactive means of changing the
file) then you should probably set a quite low value, for example 10
seconds. The penalty is a stat() call every 10'th second (which
hopefully will be in the kernels file cache anyway). The 300 seconds (5
minutes) interval is chosen mostly to support adding new users, not
users changing their password.

Hmm.. one idea that might remove the need of tuning... Check if the file
is updated when we get a "invalid password" and keep the 5 minutes
default interval for detecting when you add/remove users.. I have
included a small (one line) patch for 1.1.18 and 1.2b5 to implement this
(completely untested, as I don't use proxy authentication).

---
Henrik Nordström

diff -u -r squid-1.2.beta5/src/acl.c squid-1.2.beta5+/src/acl.c
--- squid-1.2.beta5/src/acl.c Wed Nov 5 06:29:17 1997
+++ squid-1.2.beta5+/src/acl.c Sun Nov 9 23:04:09 1997
@@ -1084,6 +1084,7 @@
     passwd[0] &= (~0x80);
     if (strcmp(hashr->item, (char *) crypt(passwd, hashr->item))) {
         /* Passwords differ, deny access */
+ p->last_time=0; /* Trigger a check of the password file */
         debug(28, 4) ("aclMatchProxyAuth: authentication failed: user %s: "
             "passwords differ\n", sent_user);
         return 0;

--- squid-1.1.18/src/client_side.c.dist Sun Nov 9 23:14:20 1997
+++ squid-1.1.18/src/client_side.c Sun Nov 9 23:16:04 1997
@@ -421,6 +421,7 @@
     passwd[0] &= ~(0x80); /* check vs crypt */
     if (strcmp(hashr->item, (char *) crypt(passwd, hashr->item))) {
         /* Passwords differ, deny access */
+ last_time = 0; /* trigger a reload of the password file */
         debug(33, 4, "proxyAuthenticate: authentication failed: user %s passwords differ\n", sent_user);
         xfree(clear_userandpw);
         return (dash_str);
Received on Sun Nov 09 1997 - 14:35:42 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:28 MST