RE: Authentication question problems

From: Williams Jon <WilliamsJon@dont-contact.us>
Date: Fri, 26 Feb 1999 09:23:30 -0600

I'm wondering if people are using just static files (like NCSA auth) or if
they're using external authentication services. If you have a service
running, it might be possible to set a short expiration on a password (like
5 minutes?) and then let the auth server itself handle the timeout issue.
Then, Squid would just go out and say "Is this user/password valid", and the
auth server would look at the time and say yes or no.

Granted, this isn't 100% doable with purchased solutions for the auth
server, since a lot of the time, the password expiration time is measured in
days, not minutes, but this seems like a decent way to address the problem
without having to rearchitect HTTP :-)

Jon

> -----Original Message-----
> From: Elfredy V. Cadapan [SMTP:evc@ics.uplb.edu.ph]
> Sent: Friday, February 26, 1999 8:26 AM
> To: squid-users@ircache.net
> Subject: Authentication question problems
>
> Hi,
>
> >From: Josh Kuperman <sar_kuper@sals.edu>
> > I'm trying to set up squid for use in a public library with computers by
> > our reference desk. What I want is for the databases and ready-reference
> > material (e.g. http://www.m-w.com, http://www.thomasregister.com) to be
> > available to anyone who want them without any authentication.
> > I'd like the rest of the net to be available to authenticated users
> > for say 15 minutes so that someone could look things up quickly. We have
> > a computer lab where people can sign up for an hour (and stay on forever
> > if no one else comes in.) I'd like to eliminate our current need to kick
> > people out of the lab for people who just want to look at what's on a
> > single web page and would then leave in five minutes.)
>
> I have a set of Netscape terminals with similar requirements. In my case,
> I have to keep people from using Netscape (all access) for more than 90
> mins at a time.
>
> I'm using a series of very ugly Perl hacks in order to manage this. (I
> have no time to whip up something better... :)
>
> The main problem with session control for squid auth is that web usage is
> stateless - i.e. there is no "logged in" or "logged out" state for a user.
>
> > But because many different people will use the machine there are two
> > major authentication problems.
>
> > 1. Once an IP address is authenticate it tends to stay authenticated. I
> > turned the ttl down to 10 minutes. (I assumed that the default of 3600
> > was in seconds and gave users an hour). But I can't find a way for a
> > user to logout, so to speak, from the proxy-server. Thus if a person
> > who I want to let to have unlimited access is done in 5 minutes and
> > leaves, how do I stop someone else from sitting down and having full
> > access. Note these are windows machine with unlimited access is done in
> > 5 minutes and leaves, how do I stop someone else from sitting down and
> > having full access. Note these are windows machine with no logins of
> > any kind.
>
> One of my scripts parses the access.log file, maintaining a "record" of
> the time of the first access of each user (i.e. the first object retrieved
> through Squid) and cuts off access 90 mins after that recorded time. (I
> realize this is a bit unfair, as someone who merely logged in for 15 mins
> gets logged off also 75 mins later).
>
> I'm using squid-1.1.20 with the auth_acl patches. I have squid use a
> "active" password file, and a script in cron deletes "timed out" users
> from that file. Another script re-enables (adds) everyone at 9 am, 12
> noon, 3 pm and 8 pm. (I told you it was kludgy).
>
> I'm currently trying out Squid-2.1.PATCH2. If the IP authentication
> "sticks" as you say, then I may have to rethink my scripts (kludge: maybe
> a squid -k reconfig?)
>
> > 2. Is there a way of stopping someone from just logging in over and over
> > again. Henrik Nordstrom suggested delay pools as a way of approximating
> > limiting the total time, which seems like an overly complicated method.
> > I really think I'm trying to do a verysimple task. I was thinking there
> > must be someway to just intercept the call to ncsa_auth (or modify in
> > ncsa_auth) to just flag a login as having been used for the day.
>
> In my case, deletion from the password file will prevent this.
>
> The best solution, of course, is writing a custom auth program (based on
> ncsa_auth) with these features. If I do get some time, I may try a
> perl auth program (save to dbm file, etc).
>
> - Elfredy Cadapan
> - Institute of Computer Science, Univ. of the Philippines at Los Banos
>
>
Received on Fri Feb 26 1999 - 08:40:06 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:45 MST