AW: [squid-users] Squid pam_auth

From: Ulrich Walcher <uw@dont-contact.us>
Date: Thu, 18 Apr 2002 21:49:55 +0200

Sorry,
I'm didn't get deep enough into all the things one should know when playing
around with linux within the last three months.

I'm curious about wireless networks and I was thinking about giving access
that way although the 'problem' of giving access is not only interesting for
wireless networks.
As HTTP hasn't the concept of sessions the idea wasn't that good, but anyway
here's just what I thought:

auto-detect-file for a proxy on the network (not tested yet - time...)
iptables: Chain FORWARD is DROP default
AP (wireless access point) authenticates users MAC-address against RADIUS
user authenticates agains squid via pam_auth --> pam_radius_auth

So far so good. Till this point everything's working

With

squid session required .../pam_iptables.so

there would have been the possibility to add a rule to the FORWARD chain (or
any other chain required) as long as the (obviously non-existant :(( session
would last.

Well, anyway, I bet there are a lot of weird ideas around from people having
not that much knowledge on the facts one has to have.

...thinking ...thinking ...thinking ...thinking
With a quick opening (and closing) the session the rule could be added.
Then alter some code in pam_iptables "do not remove the rule on session
close / logout or however it is called", put instead any type of tll=???
(big ttl!) or an "exit-command" for the pam (???) to add the rule 'static'.
(As I said, next to no knowlegde in c...)

And then, once again without having the knowledge ;) :
If you have the possibility to find out whether an IP is supplied by DHCP or
static with a short command - perfect. Otherwise one could (???) crosscheck
the dhcpd.leases file with the iptables rules regarding the ip and the
timestamp and remove the rule if there's no longer an analogy with the
dhcpd.lease file.
I bet there are some steps missing (or something wouldn't work at all), but
in the end I'm just curious...

If all that's just bullshit I hope it didn't take too much of your time for
answering more serious questions on the bord.
If you see any light at the end of the tunnel regarding that problem please
let me know.

ThanX anyway!

Regards,
Uli

-----Ursprungliche Nachricht-----
Von: hno@marasystems.com [mailto:hno@marasystems.com]Im Auftrag von
Henrik Nordstrom
Gesendet: Donnerstag, 18. April 2002 18:57
An: Ulrich Walcher
Cc: squid-users@squid-cache.org
Betreff: Re: [squid-users] Squid pam_auth

HTTP does not have the concept of sessions.

How do you want pam_auth to use the session PAM module?

We could quickly open and close a session when the password is verified,
but what is the point in doing so?

Regards
Henrik

Ulrich Walcher wrote:
>
> Hi,
> has anyone found the pam_auth module for squid that supports the session
> module? ...or even rewritten the existing one?
> As I'm not into c I can't do i myself - unfortunately.
> TIA
> Uli
Received on Thu Apr 18 2002 - 13:47:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:36 MST