Re: [SQU] NDS Autentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 30 Oct 2000 23:05:32 +0100

John Lauro wrote:

> BorderManager doesn't use HTTP for the authentication process
> when talking to windows machine. You have to run a special program
> on the workstation. From my understanding (which might be off somewhat,
> but should be close....)

Sounds very much like ident or a similar function.

The official protocol for remote querying of whom owns that connection
to me is ident. However, the protocol does not include any
authentication (only identification) and can easily be spoofed on a
Windows or other single-user station by the user running some other
ident service returning the identification of his choice.

Squid supports ident, and there are ident services for most known
platforms. Due to the restrictions above it is only truly useable when
you trust that the ident service running on the client computer is what
you think it is and not something else.

Other non-standard options is to run a authorization agent on the client
machines which keeps track of which user is logged on on the console,
and forwards this information to the proxy/firewall. However, this
approach often has added security issues where too much user information
is revealed, and is often done on a per IP basis which halts when there
are multi-user stations in the network.

--
Henrik Nordstrom
Squid hacker
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Mon Oct 30 2000 - 15:23:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:02 MST