[squid-users] squid authentication mechs

Amos Jeffries squid3 at treenet.co.nz
Wed Dec 16 20:53:01 UTC 2015

On 17/12/2015 5:35 a.m., Eugene M. Zheganin wrote:
> Hi.
> Is there a way to limit the number of available authentication
> mechanisms (for a client browser) basing on certain squid IP which this
> browser connects to, like, using http_port configuration directive ? For
> example this is needed when one need to allow the non-domain machines to
> pass through authentication/authorization checks using squid with
> full-fledged AD integraion (or Kerberos/NTLM, anyway), otherwise they
> are unable to do it. Once they were, for example using Chrome < 41, but
> since >41 Chrome has removed all the options to exclude certain
> authentication methods from it's CLI sequence (I still wander what a
> genious proposed this).

Theoretically the client browser is fully aware of what credentials it
can use for what schemes (Kerberos, Basic, NTLM, Digest [in that orer of
security]). And also for remembering which credentials worked or failed
on previosu attempts with the offered schemes.

So there is no need to filter them at the proxy. *it* is perfectly able
to authenticate any credentials it gets given using any of the schemes
it is offering. You just happen to not like the outcome when validation
prevents login.

> If not(and I believe there isn't) could this message be treated as a
> feature request ?

It has been a feature request for years to allow ACL control of auth
schemes offered. I even have a design plan laid out for implemeting it.
But nobody seems to want it enough to sponsor the addition (if you do
please contact me directly to discuss).

I am specifically waiting for sponsorship on this one because it needs
someone with an actual use-case and implementation to test that it works
properly with Negotiate and NTLM.

Otherwise please open a feature request bug to track the status and get
notification when somebody does get around to adding it.


More information about the squid-users mailing list