Re: [squid-users] Kerberos authentication that doesn't block

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 30 Aug 2013 18:07:33 +1200

On 30/08/2013 4:32 a.m., Trever L. Adams wrote:
> Hello everyone,
>
> I am having a difficult time. I am not just trying to do something
> similar to
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass, but
> without blocking most sites for unauthenticated users.

It is a key property of secure authentication such as Kerberos that no
client *starts* by shotgunning their credentials to unknown recipients.

> The sites I need to block except for certain groups / authentication,
> etc., are not known at http_access time, only at http_reply_access time.
>
> Because of this, I am not sure how to trigger the negotiate process and
> not block authenticated users. The below does not work. I am not sure
> why it doesn't, but it does block on access control / authentication for
> all web sites, not just the category blocked (yes, I left the deny on
> http_reply_access out below, but it exists).

How are you defining "blocking"?

And how do you expect authentication to be performed without credentials
to verify?

Amos
Received on Fri Aug 30 2013 - 06:07:45 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 30 2013 - 12:00:16 MDT