Re: [squid-users] Using login data of the user

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 16 Apr 2011 13:55:34 +1200

On 16/04/11 13:25, Leonardo Rodrigues wrote:
> Em 15/04/11 21:30, Joachim Wiedorn escreveu:
>> Hello,
>>
>> since some days I search for the way how I can use the login data of the
>> user on his computer (client) for authentication check while he is using
>> his browser.
>>
>> As I have understood if I activate authentication in
>> /etc/squid3/squid.conf
>> then the browser ask the user at the first time of web access for
>> username
>> and password. But the user always have done a login on this client
>> computer
>> so why must I start this second authentication check of the user?
>>
>> This way would be useful for use with LDAP or AD, but also with PAM
>> authentication.
>>
>> Does anywhere know the solution?
>>
>
> if your users have already logged in on your AD network, you can have
> squid configured to use those authentication credentials for logging and
> filtering web access *WITHOUT* asking again for username/password.
>
> squid has several authentication methods, not all of them does this
> 'transparent' authentication. The most basic squid authentication
> method, 'basic' one, doesnt that. 'basic' authentication will ALWAYS
> give you an authentication popup. To acchieve the transparent
> authentication, you'll have to use probably ntlm, digest or negotiate
> authentication methods. Using these authentications methods *AFTER*
> having your linux box joined your AD network correctly, you can have the
> transparent authentication working. Users will open browser, no
> authentication window will pop up and, and even then, username will be
> logged on squid logs and can be used for filtering purposes.

Nope. All of the auth modes always query for credentials on every request.

  It is the browser which determines whether a popup is needed. I've
seen setups which do no popup for Basic auth. Though most do.

  Using modern browsers configure it for a password manager, then set NO
master password protection. The password(s) stored will then always be
available to the browser and used without a popup.

This may sound highly insecure. Because it IS. But that is how
single-signon is designed to work.

To be safer it is better to set a master password and accept that the
user will get one login popup to enter that password when they first
open the browser. Everything else still happens invisibly in the background.

>
> ***PLEASE*** do not confuse transparent authentication with transparent
> proxy. None authencation method will work on transparently intercepted
> requests (transparent proxy). To have ANY authentication method working,
> proxy **WILL HAVE TO BE** correctly configured on the browser.

Amen, Ditto and seconded on that plea.

To avoid trouble manually configuring browsers with proxy settings you
implement the *third* meaning of transparent *configuration*. Using WPAD
to spread PAC files around.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.6
Received on Sat Apr 16 2011 - 01:55:37 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 16 2011 - 12:00:04 MDT