[squid-users] [Squid 4.x]: Truncated accounts when there is spaces in usernames

David Touzeau david at articatech.com
Sat Oct 24 16:47:01 UTC 2015 


Le 24/10/2015 05:44, Amos Jeffries a écrit :
> On 24/10/2015 1:29 p.m., David Touzeau wrote:
>> Hi all.
>>
>> I'm testing squid 4.x with Active Directory connection.
>>
>> When there are spaces in logged accounts eg : "Jhon Rambo" squid use
>> only the last string in logon user "Rambo".
>>
>> This corrupted account is used in all ACLS and events too and all acls
>> matches Rambo and not "Jhon Rambo"
>>
>> This behavior can be replicated in Squid 3.5x branchs too and be
>> replicated in both LDAP/NTLM methods.
>>
>> * * It should be a security issue and an issue according governments
>> laws * *
>>
>> 1) If we create acls for the account "Rambo" that is - an another person
>> - of "Jhon Rambo" , Jhon Rambo aka "Rambo" for squid use the same ACLs
>> as "Rambo" account.
>> 2) In Europe we must keep Squid logs for the police during 1 year
>> according Justice needs. This corruption break logs validity according
>> Squid did not reflect the real connected username.
>>
>> How to fix it ?
> Start with whats in your squid.con settings. proxy_auth values, helper
> settings.
>
> Then go on to what the helper protocol is transmitting. both request and
> reply lines from the auth and external ACL helpers.
>
> Whitespace in user labels is not always dealt with nicely.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Amos, Here settings in squid.conf


auth_param ntlm program /usr/bin/ntlm_auth  --domain=TOUZEAU.BIZ 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=5 idle=3
auth_param ntlm keep_alive on
authenticate_ttl 14400 seconds
authenticate_cache_garbage_interval 18000 seconds
authenticate_ip_ttl 14400 seconds

auth_param basic program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic
auth_param basic children 10 startup=5 idle=1
auth_param basic realm Basic Identification
auth_param basic credentialsttl 4 hours

here a debug log with an account logged as "david touzeau"


Proxy-Authorization: NTLM 
TlRMTVNTUAADAAAAGAAYAJAAAAAYABgAqAAAAA4ADgBYAAAAGgAaAGYAAAAQABAAgAAAAAAAAADAAAAABYKIogYBsR0AAAAPudyEOYFjFhMW+qrJNxLkdlQATwBVAFoARQBBAFUAZABhAHYAaQBkACAAdABvAHUAegBlAGEAdQBXAEkATgA3AFUAUwAtADEAkZrVyKTcrdAAAAAAAAAAAAAAAAAAAAAA/wlnYT2Q+F
2015/10/24 12:34:58.089 kid1| 84,5| helper.cc(1384) 
helperStatefulDispatch: helperStatefulDispatch: Request sent to 
ntlmauthenticator #Hlpr65, 260 bytes
2015/10/24 12:34:58.092 kid1| 84,5| helper.cc(1000) 
helperStatefulHandleRead: helperStatefulHandleRead: 17 bytes from 
ntlmauthenticator #Hlpr65
2015/10/24 12:34:58.092 kid1| 29,6| UserRequest.cc(171) 
releaseAuthServer: releasing NTLM auth server '0x1d91cd8'
2015/10/24 12:34:58.092 kid1| 29,4| UserRequest.cc(327) HandleReply: 
Successfully validated user via NTLM. Username 'touzeau'

More information about the squid-users mailing list