[squid-users] Re:Help!setting up squid to authenticate through accounts passwords

From: Lim Seng Chor <Lim.Seng.Chor@dont-contact.us>
Date: Fri, 25 May 2001 10:12:44 +0800

Well, pam_auth is an external program invoked by squid where
squid is started as uid nobody (or what u have defined for your
cache_effective_user). As a result, pam_auth is started as the
same uid as squid (type ps -axu | grep pam_auth or ps -ef | grep
pam_auth)
pam_auth is looking into your /etc/passwd and /etc/shadow (or
/etc/master.passwd for bsd-ish system??) and check for the login
and password pair. you need root for viewing shadow file. if not, you
will get "ERR" each time verifying password.
if you want to use pam_auth, here are some ways for you:
(1)
chown root /bin/pam_auth
chmod u+s /bin/pam_auth
or (2)
chgrp root /etc/shadow
chmod g+r /etc/shadow
chgrp root /bin/pam_auth
chmod g+s /bin/pam_auth

i personally feel pam_auth is a dangerous program to run if you are
running a multi-user system. unless you are running a dedicated-
cache system, or else pam_auth might get yourself into trouble.
this may allow users to do brute-force attack on password
guessing or password sniffing on the port pam_auth listenning. and
unknown setuid buffer overflow for pam_auth if exists. do this at
your own risk. good luck!!

From Joe/SIT/MIS

On 24 May 2001, at 18:26, Fred Kamwaza wrote:

> Thanks very much for coming to my rescue.
>
> I have tried to use the full path as suggested but it still doesn't
> work. ---- authenticate_program /bin/pam_auth ---- However, on its
> own, I can type 'pam_auth' on command line and it works.
>
> Is there anything else I can try.
>
> Thanks once again for your assistance.
>
>
> > On 24 May 2001, at 13:07, Fred Kamwaza wrote:
> >
> >> I have also tried to add the following lines to my squid.conf:
> >> ------------------------------------- authenticate_program pam_auth
> >> shadow authenticate_children 10 authenticate_ttl 3600
> >> authenticate_ip_ttl 0 acl password proxy_auth REQUIRED acl user1
> >> src 10.30.0.5/255.255.255.255 http:_access allow user1 password
> >> --------------------------------------
> >
> > try to type the full path to your external auth program
>
>
> --
> Fred Kamwaza
> University of Malawi
> The Polytechnic
> P/B 303, Chichiri, Blantyre 3
> -------------------------------------
> Tel: (265) 670 411 (o); (265) 842 891 (m)
> Fax: (265) 670 578
> email: fred@sdnp.org.mw
> URL: http://poly.sdnp.org.mw
>
>

----------------------------------------------------------
Lim Seng Chor, Joe
MCP,MCP+I,MCSE,MCSE+I,MCDBA,CCNA
MIS Senior Executive
System/Network Administrator
Sepang Institute of Technology
Tel: (+603) 33430628 (extension: 270)
Fax: (+603) 33430240
-----------------------------------------------------------------------
Received on Thu May 24 2001 - 19:59:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:17 MST