[squid-users] negotiate_kerberos_auth: ERROR

Amos Jeffries squid3 at treenet.co.nz
Fri Sep 28 23:28:56 UTC 2018 

On 29/09/18 7:51 AM, neok wrote:
> Hello people, in general terms my proxy works quite well. However I tell you
> that very eventually, (maybe about 10 times per day based on 15 users using
> my test proxy) I get this error in cache.log:
> 
> 
> negotiate_kerberos_auth.cc(180): pid=21573 :2018/09/28 14:42:25|
> negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified
> GSS failure.  Minor code may provide more information. Request is a replay
> 2018/09/28 14:42:25 kid1| ERROR: Negotiate Authentication validating user.
> Result: {result=BH, notes={message: gss_accept_sec_context() failed:
> Unspecified GSS failure.  Minor code may provide more information. Request
> is a replay; }}
> negotiate_kerberos_auth.cc(180): pid=21573 :2018/09/28 14:42:26|
> negotiate_kerberos_auth: ERROR: gss_accept_sec_context() failed: Unspecified
> GSS failure.  Minor code may provide more information. Request is a replay
> 2018/09/28 14:42:26 kid1| ERROR: Negotiate Authentication validating user.
> Result: {result=BH, notes={message: gss_accept_sec_context() failed:
> Unspecified GSS failure.  Minor code may provide more information. Request
> is a replay; }}
> 
> I've browse several hours without finding out what causes this error, or if
> it's serious, or if I should ignore it.

It is serious.

> Could someone with more experience tell me if it's possible what could be
> the reason for this error?

"Request is a replay", aka "token replay attack".

The client is sending a credentials token which has already been used on
another connection. Such clients are either fatally broken, or malicious.

Negotiate and NTLM credentials authenticate the specific TCP connection
they are used on. They are not permitted to be re-used on other
connections nor changed once authenticated.


PS. please upgrade if you can, there are security issues with 3.5.23 and
older releases. Eliezer provides updated CentOS packages for more recent
Squid versions (see <https://wiki.squid-cache.org/KnowledgeBase/CentOS>).

Amos

More information about the squid-users mailing list