[squid-users] Removing cache credentials

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 17 06:50:57 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/11/2014 5:26 p.m., Victor Sudakov wrote:
> Amos Jeffries wrote:
>>> 
>>> If we speak about Kerberos authentication. On the very first 
>>> request, the browser receives a "407 Proxy Authentication
>>> Required" reply and learns that it is expected to provide
>>> credentials. For a certain amount of time, the browser knows
>>> that it should send the credentials with every request without
>>> waiting for an 407 reply.
>>> 
>>> How long is this amount of time? Is it like forever?  Is there
>>> ever a limit after which the browser will try again to send a
>>> request without credentials? Maybe after a browser restart or
>>> what?
>>> 
> 
>> Negotiate/Kerberos (and NTLM) do not authenticate the request.
>> They abuse HTTP to authenticate the TCP connection underneath
>> HTTP. So the credentials must be re-used for the entire lifetime
>> of that TCP connection. Changing credentials means tearing down
>> that whole TCP connection.
> 
> As far as I understood you, there would be a "407 Proxy
> Authentication Required" and "Proxy-Authorization: Negotiate" pair
> in each TCP connection between browser and proxy.

407 is repeated as many times as necesary until the client starts
sending valid credentials. Proxy-Authorization is used on every
request containing any credentials. That is the basic requirement for
any HTTP auth schemes.

They are not a pair. Since there is no requirement for anything to
follow the 407. Nor is there even a requirement for the two messages
to be sent on the same TCP connection (eg "auth_param ... keep_alive
off"). Statelessness is fun sometimes.

> 
> If the connection is used for several requests, only the first
> HTTP request in the connection would contain authentication info.

No. Once authentication is accepted on a connection the credentials
token MUST be sent on all following requests.

 - So far that is basic HTTP auth requirements. Now things get weird...

Lack of Negotiate credentials on any request is a sign of injection
attack being performed and the TCP connection must be torn down.

To do that tear-down Squid can send 407 challenge with
Connection:close such that the client can resume with
re-authentication on new TCP connection(s) without waiting for any 407.


> But each new TCP connection is re-authenticated by HTTP. Is this
> correct?

Not really. A TCP connection may be used for multiple requests before
one needs to authenticate and kicks out a 407.

If you offer Basic Digest, Bearer or other properly HTTP compliant
auth schemes there is even the possibility that multiple different
types of credentials were happily being multiplexed over the single
connection until NTLM/Negotiate gets in the way.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUaZrRAAoJELJo5wb/XPRjCNIH/2/Shwg113XcpKnyF+CATG8C
vxpa88xuajuqiwHRBtPd6caQDbnQi05HXuoD+RUmS+bhLeHhFg/5AZPswnCLLp7N
SmoOcc7yB80+0/Cmy31CpfO0QWm5GnkMHM40Kj7Lftms2AUKdOtmxoBITJYKTmPf
hXEktNtD78K8rB0qHg5s38Z/wd3K7YNvGTBlNacbpLM0TYx1CELkccA7ifx+t3Ut
rLKqZJHUbSWAhmBeHs6eLu2KXp+0ZA1gp5HqDmg7XaRtzWAJpy9K0+zpPEVdVZcz
rYPsCjdOuesHrWc99pNp4d3RFggXQ6298eJHthhNwqdVwMhhkfRGcp1fyNNIx2E=
=8j6B
-----END PGP SIGNATURE-----


More information about the squid-users mailing list