[squid-dev] [RFC] Auth design changes

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 22 03:07:40 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Negotiate auth protocol is a bit nasty since it is a wrapper protocol
around both NTLM and Kerberos.

We are facing issues where Negotiate/NTLM handling differs from plain
NTLM and the negotiate_wrapper helper can fail as a result.

Markus has requested I look into merging the wrapper helper
functionality into the Negotiate auth module itself instead of a
separate helper. It has been a long task trying to figure it out but I
think I may have a way forward finally.


What I would like to do is:

 * adjust the module APIs such that the label they emit on headers was
configurable and could be changed at runtime independent of the type()
name they are configured and indexed by.

 * move most of the existing Negotiate code to a module called
Kerberos. Which would think its native scheme type() was "Kerberos"
[albeit unused], and emit the helper blobs as-is.

 * write a new Negotiate module that has Config::decode() probe the
GSSAPI header for protocol sub-type then generates a Ntlm::UserRequest
or Kerberos::UserRequest object. Calling the new API methods to set
their header label "Negotiate".
 - this would only happen for the sub-protocols which were configured
of course.

 * the Negotiate module would completely lack its own UserRequest and
User objects, and helpers. Emitting the NTLM or Kerberos module
objects instead which use the appropriate other sub-protocol specific
helpers.

 * the Negotiate module configuration would disappear and be
auto-enabled whenever a) the Kerberos scheme was configured, or b) a
flag on NTLM module auth_param was enabled.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJURx98AAoJELJo5wb/XPRjt/4H/iW5TCE43lLln4I80dL3uNxy
R2QjTOYg27usXEi8r3r9tA9jVBPVm+gHb7gbJQxfpGjHOtqgiMvlSUc9nsWcRb4V
6kpG31j4pAqnaRIcOdZaFOoVDyAFE0faIPyarXxdnvzQqVHTt81Mm0jkMxgzmfGO
IO0kRExmyQtzxzMyU1yqsmRQAlisGCCRVpfREtHeevHXDpGUGQ15NkNXGFsYSCVr
LNPYzr9jA7N1wSPQaH21Ybjs+v9eA9VuTAdZV+oyiX3HywEdc1YBKdma3bRUPuuH
AVlmXCPnbVH0h4RcscEZ0MDjxKj6ZlnKCAnhe5Xxnvp/m8NOfIJhUcaMctCZrg8=
=IRbh
-----END PGP SIGNATURE-----

More information about the squid-dev mailing list