Re: [squid-users] Authentication of non-standard methods

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 12 Dec 2012 13:32:46 +1300

On 12.12.2012 11:33, Trever L. Adams wrote:
> Hello Everyone,
>
> I am looking at Shibboleth. I have seen one example
>
> (http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)
> for using it with Squid. I am afraid it makes no sense to me.
>
> I am afraid I do not know much about Shibboleth yet. It has three
> components for authentication, user, password, domain. It has to use
> redirects, etc.
>
> I see an easy way for this to work, but need help figuring it out.
>
> If a user isn't authenticated, I need to send them to a url.

  acl bounce src all
  acl auth proxy_auth REQUIRED
  deny_info 307:http://example.com/ bounce
  http_access deny !auth bounce

... but see below...

>
> How do I know if a user is authenticated? Well, it seems that this is
> going to have to be passing the requesting client's ip address to a
> program and get the response back if they are authenticated or not.

NOTE: user != IP address. Therefore user authentication doe not imply
IP address is authenticated, particularly in HTTP where one client (IP
address) can be presenting traffic from multiple users.
  Essentially stateful connection-based authentication and stateless
HTTP do not mix well - as is constantly being 'discovered' by NTLM
people.

> It
> would be nice if I could pass a user name, but I am not sure how to
> do
> this as this would require interaction with the browser and this
> should
> be SSO.

The ACLs above pass the Proxy-Authenticate header to a helper program
for authentication tests. That header contains username and security
token, sometimes domain if the auth type uses domains.

SSO is a property of the *backend* accepting the credentials supplied
by the client to Squid. SSO is simply the process of the backend
accepting the same credentials from multiple services (Squid being one).
  It is no more different than a user signing up at two separate
websites with identical username/password details and being able to
login to both.

>
> So, is it possible to do an auth_param to a special program that just
> looks at the ip address? Have it return yes/no for if it is an
> authenticated session?

No. auth_param is about verifying that the user is who they say they
are. Cousin Bob arriving in Alices car ('from' IP address) does not
verify that Bob == Alice, only that the vehicle is a car not a truck.

IP can at most be used as an authorization check to make some handling
decision about the particular request. Authorization is done with
external_acl_type helpers.

>
> If no, then do a url_rewrite_access (I am assuming this is correct)?

redirector helper is one way to do it. But these must first accept the
request for processing (http_access allow). It is more efficient to do
the above ACLs I listed and alter the denial message sent by Squid into
a 307 redirect message.

** redirectors like external ACL helpers, do not perform HTTP
authentication. Just authorization.

>
> Finally, is it possible to have multiple authentication algorithms?

When using Proxy-Authenticate: yes of course.

> Some
> of the users will be local and be able to do krb5/spnego. So, if at
> all
> possible, I would like to have the option of trying krb5, then
> spnego,
> then Shibboleth.

I suggest you work along the lines of using an external_acl_type helper
for Shibboleth. Since it is more about authorization of a request to be
processed than authenticating that the source IP is a genuine user
account.

You can use localnet ACL or a similar check for internal/external
clients to skip or require the authentication with Negotiate/kerberos.

Amos
Received on Wed Dec 12 2012 - 00:32:53 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 15 2012 - 12:00:05 MST