[squid-users] LDAP Auth re-prompting for credentials on browser close, need suggestions

Michael Monette mmonette at 2keys.ca
Thu Jul 30 15:36:07 UTC 2015



On 7/29/2015 5:20 PM, Amos Jeffries wrote:
>
>> Found this post asking the same question:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Ldap-Authen-AD-how-to-make-authentication-persistent-td3604487.html
>> and it
>>
>> There were two suggestions that stood out:
>>
>> There used to be a "authenticate_ip_shortcircuit_ttl" option in squid
>> 2.7 that when authenticated successfully, it would remember the users
>> IP for X amount of time and would let you avoid logging in every time
>> you reopen your browser. They removed that in later versions
>> unfortunately, I guess because someone could take over your IP and
>> would be able to authenticate as you(which is not a concern to me, at
>> all).
> It should.
>
> Theres this thing called NAT you see, which places multiple users behind
> a single IP. The first one to login with IP-based auth. Since IPv4 ran
> out back in 2003 a number of networks have started using one layer.
> Since 2010 when IPv4 stopped being readily available its become more and
> more popular to use 2 and even 3 layers of NAT between any two machines.
> Just so they can talk.
>
> Then there is this thing called DHCP. I guess this is what you mean by
> one user taking over anothers IP. Since the DHCP service allocates any
> available IP to user devices on request. If a device goes away its IP
> can get re-used immediately by another device. Its uite difficult to get
> Squid to be aware of any of those changes and update its auth information.
>
> Then there is the thing called "privacy addressing". In IPv6 its
> built-in, with IPv4 its done using DHCP short dynamic assignments. It
> means the IP address assigned to user devices is guaranteed to change
> frequently and randomly.
>
> Now, if your network can operate without NAT or DHCP, or IPv6. You are
> one of the very rare lucky people for whom IP-shortcut based auth
> *might* work. But only until you have a malicious user contact the
> network and start spoofing users IPs.
>
>
> IP address based authentication is, well. Dead.
>
Okay, well I know how NAT and DHCP works, so I guess I am one of those 
rare cases you talk about.  We have no NATs, I am only trying to use 
squid on a small section of our network which has statically assigned IP 
addresses and they have no admin rights to change it. They are open 24/7 
so some stranger walking in, plugging his laptop on our network and 
trying to figure out which IP is already authenticated is very unlikely 
since everybody knows each other and it noticed/reported. That's why 
this does not concern me. I was also only planning to have it remember 
the IP for maybe 1 hour.

On the other hand, having users re-authenticate every time they close 
their browser would irritate them and possibly cause confusion as most 
of them are not very technical(It might just be something they will need 
to adjust to after all).

So in my case, either I figure out a way to go about this (I saw your 
suggestions below and am going to do some reading) or I might have to 
not implement any authentication at all, which I think is worse.

>> The other suggestion would be to use an external ACL helper but they
>> did not include one or any example in the post.
>>
>> Would anyone happen to have an example of a helper that does this or
>> some other way I can go about pulling this off?
>
>   "Windows Integrated Authentication" is what IE is using not to have to
> ask user for credentials. Some credentials were given when they logged
> into the machine, and are used by the browser to send to Squid as needed
> (and only as needed). Sometimes called Single-Sign-On or Federated
> authentication.
>
> I hear the other browsers need some config to use it. But can't recall
> right now what that is.

I will look around for this config option and check out SSO/Federated 
authentication, I appreciate the hint.
If I can't figure out a way to get this going I will speak to management 
to see if this is an acceptable tradeoff. I am just exploring my options 
before I do.
>
> For Squid it should work with Basic auth. Dont believe the myths that
> say Windows auth == NTLM.
>
>
> Whether *a* popup is seen also depends on whether the browser password
> manager is in use. One always need to unlock that manually when opening
> a browser. The actual Squid credentials are fetched from there after its
> opened. And no that popup is *not* part of HTTP auth.
Thanks for clearing that up and your responses, much appreciated.


More information about the squid-users mailing list