[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)

Victor Sudakov sudakov at sibptus.tomsk.ru
Wed Oct 8 03:29:25 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Markus Moeller wrote:
> 
>   In the helpers/negotiate_auth/kerberos directory is a script 
> test_negotiate_auth.sh to test authentication outside of squid. 

Markus,

I could find the said script neither in the source nor in the binary
package. However I think I can guess what could be inside.  Could you
look below if that makes sense?

===========================
$ setenv KRB5_KTNAME /usr/local/etc/squid/squid.keytab
$ setenv KRB5_CONFIG /usr/local/etc/squid/krb5.conf
$ kdestroy
$ kinit sudakovva
sudakovva at SIBPTUS.TRANSNEFT.RU's Password:
$
$ klist
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
        Principal: sudakovva at SIBPTUS.TRANSNEFT.RU

  Issued           Expires          Principal
Oct  8 09:31:45  Oct  8 19:31:45  krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU

$ ./negotiate_kerberos_auth_test proxy.sibptus.transneft.ru | awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | ./negotiate_kerberos_auth -d

negotiate_kerberos_auth.cc(212): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: INFO: Starting version 3.0.4sq
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Got 'YR YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' from squid (length: 2083).
negotiate_kerberos_auth.cc(311): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Decode 'YIIGFAYGKwYBBQUCoIIGCDCCBgSgDTALBgkqhkiG9xIBAgKiggXxBIIF7WCCBekGCSqGSIb3EgECAgEAboIF2DCCBdSgAwIBBaEDAgEOogcDBQAAAAAAo4IEvGGCBLgwggS0oAMCAQWhFhsUU0lCUFRVUy5UUkFOU05FRlQuUlWiLTAroAMCAQGhJDAiGwRIVFRQGxpwcm94eS5zaWJwdHVzLnRyYW5zbmVmdC5ydaOCBGQwggRgoAMCAReiggRXBIIEUxpOgFWeZoAcatE6l3MyfDxMoDMjcgYUQzenTLAlEvD3/c0pyRiitZwNMIHvnacXcUSTzLDNjDw75iwfNxZHYjZgvOLHSKQm+rmoWtLIC+3KZoeWCB+pxwcpK8RzXvs8dPCprH1h5OdCn8EB1ZZxl35IhLgg07N72yvnXNiBmW/PmLW6PeVB0U3SLjWiT0ZJ3kXukg5ViYGOMKypeHebHPB0FQ2dgNQy8S00CRIU4ZuoHPVWFNl6mzp9CoIy7Ytwhu3NRb42f49nuQpqBVcsMK/ckgLYvsoz2lYxe7AO4MMOvcGqnEBB/jaSfrGGXpw+ciMNbBtCHH7bN36uGHj+VWOUFL5vR3xclnOWwdUH2OtXqMMcDDnI4v7vNR1U80BS7SdXUpx0D+O1B3ihipaTpSkXtII5UTI4qxmZjXSQGYY0adbG/N6NpMF7HpmGb1Zondp571l4ZV0mZ0pZ7IcIAmvQOmcud/sN0am4z9Oe3lCe7L1RVKBr0Tu30Pz7ySibeCpY/OVR2GJ+ILfov/3o95ozW8W4d+UCHfywAHOioGB+QWSC2NO5VtcjsBYVkhKnBkcG8KOBhJ+qi1qvhGXD3tUgDZnb0pCQAVNyjiDIKZre8KcB23Hu5a2YCM9y0GiBCbfJIbD60LJLVOxozZiRqJfdOCvBhfCvh7R9y5EuNmMswSRgQJwhkh7rCgMPWvFsAWDae9yxN966E85nE+xuUtwtl20NhOjotjG3NgwsRYDg1kQvfJnz7IcPSnSevKiPHU7uvBxSZvR6j6J0BZRgTQg7loUzkOsSRPDefXMt4wFfoHEqaWTtKw3yR0dZkr1W5g6WDn0d0o4uLZRdZteMOtxjsXFTQA3MIQrf/BpVk0NdEQ0EpXo2SZtr+ciy2jNXI40s6rUQakV/vfLG5aGOQY1Ck1gynORrG6Bt/eDMVJF7gf8iEvSDPiZhaHNqfAwfuYDNcO6Sgvl21tkEUfC9YxzkZq2vb0J1gJnkoq3oay+B7GElpgBABZpf22eGTOHakz7m8z9jdPUuIGFf1Jgn1B4i2vFsYRV6tbn3gF/wpnBdPmmG0ZVT2ZnqPDf2Om3kh1cd/THIWDVeuvNGRHbzGYxFJcJ+NIgwr5yfijltcKyynGqHvW2arUQwHzX0UM/dg6iI8+o2IkKmihBL9WQ+04SwHYeMk+D1hJx2rfrIl9RgpQdkrhrjPacqGfKd7NrtEweeSn7MOwFjaVYlT4ruboQHt94BcJKQ1qhuJVsH+rhZaM6XBt6F2NtM5Z+0OmwsLb0sQkdVbnbyEku7McPN0vvOC7tuDL1pT0UuAanSO6IQahXj5X3W/MVNf27rJUmcUQkGbTvCK6nJMuZYNsuKaB9Izs10T/i88V5IOgafwAHgLCxnpwptY551gJwj/0cvv6mpIZSrE8XjMWMUDmeTkeUyU8t2Dz5Vjbb8l1cFCIETgvc5CK9mV+SG0F6soQqf1xs+r6SB/jCB+6ADAgEXooHzBIHwxdPbAIs5nPD2d3wOYONkgkc1qb9krxSlo4FRMoPPIl+80A1OZOlv/SRc9B4VpP8xJJvk1YwY70twgMlOJd/zbXH0lEnyGdGi9mUuN4XdfeNzFwqvjxOrx1e8oPXJPJLIZCGhUik3nY7X4Nb4EMXmfEckzSsuBbVKkVwu7/0xPKbXL4KPs/e3ANJI8Lvkh7AM7iIXrhI2S4/ZKWo4f73R1sjgtt+nw8e1Ga7EeMlQvbejo/i9UBEFldNR2B8GM0DD6449mRrbXE1K5Pij+bHoHl9oZng97DGGnM4ritsN+ts2Rcev1IuSzm6QFaADBwRU' (decoded length: 1560).
negotiate_kerberos_auth.cc(128): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: ERROR: gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
BH gss_acquire_cred() failed:  No credentials were supplied, or the credentials were unavailable or inaccessible.. unknown mech-code 0 for mech unknown
negotiate_kerberos_auth.cc(258): pid=52357 :2014/10/08 10:03:34| negotiate_kerberos_auth: DEBUG: Got 'QQ' from squid (length: 2).
BH quit command

$ klist -v
Credentials cache: FILE:/tmp/krb5cc_XZ1GPU
        Principal: sudakovva at SIBPTUS.TRANSNEFT.RU
    Cache version: 4

Server: krbtgt/SIBPTUS.TRANSNEFT.RU at SIBPTUS.TRANSNEFT.RU
Client: sudakovva at SIBPTUS.TRANSNEFT.RU
Ticket etype: arcfour-hmac-md5
Ticket length: 1128
Auth time:  Oct  8 10:00:12 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: initial, pre-authenticated
Addresses: addressless

Server: HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
Client: sudakovva at SIBPTUS.TRANSNEFT.RU
Ticket etype: arcfour-hmac-md5
Ticket length: 1212
Auth time:  Oct  8 10:00:12 2014
Start time: Oct  8 10:00:16 2014
End time:   Oct  8 20:00:12 2014
Ticket flags: pre-authenticated
Addresses: addressless

$
$  ktutil list
/usr/local/etc/squid/squid.keytab:

Vno  Type                     Principal
  1  des-cbc-crc              HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  des-cbc-md5              HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  arcfour-hmac-md5         HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  aes256-cts-hmac-sha1-96  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
  1  aes128-cts-hmac-sha1-96  HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
===========================

> 
> Let me know what you get. 

You can see that I obtain a ticket for the HTTP/proxy.sibptus.transneft.ru 
service, but somehow the authentication fails.

> BTW on which platform with which Kerberos 
> library( MIT or Heimdal)  is this ?

On the squid host: FreeBSD 8.4-RELEASE-p16 i386, Heimdal 1.1.0.

w2k AD as KDC for SIBPTUS.TRANSNEFT.RU.

- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUNK+VAAoJEA2k8lmbXsY0JeUIAItkImiYwviy4IEgOepwiamE
NpodTm4bvdhy+bFrchezXjx8vSPSz0mKgM5IdwNxdRaH9qRl5obC5lXQWu9K6d8S
J3e3fxlKY9t7rUcnJYHWXwlClHd0qz7cN9Actp4OOs01RcD1bEHzfnR9yeQnWfNw
vTE+C9IbFpVQnVQyQCsnrS/jwIsGbvXTTWywgeQ9p6hTQsR5Cw/u6pqtUQjIZ6Rq
0elGZ21JY4hzfILNjcKxflU5q7HKULRBtBHWUC8JowZmBUKBBxX5Cci4atFHVd/e
dSg4fPYDqHYoz0H4mu3IzRbPSurjGQZ9g3cUFrClqgX3Fyr8lrWAGbAQVRxABZw=
=Nikr
-----END PGP SIGNATURE-----


More information about the squid-users mailing list