[squid-users] Suppressing authentication schemes

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 21 11:43:24 UTC 2020


On 21/10/20 7:53 pm, Philipp Gesang wrote:
> On Tuesday, 2020-10-20 10:59:41 -0400 Alex Rousskov wrote 
>> On 10/20/20 10:44 AM, Philipp Gesang wrote:
>>> On Tuesday, 2020-10-20 09:53:45 -0400 Alex Rousskov wrote 
>>>>> a while back we received a report from a customer that Windows
>>>>> hosts will not fall back on conventional authentication
>>>>> mechanisms if Squid advertises Negotiate. That is unfortunate as
>>>>> not all systems in that customer’s network are Kerberos enabled
>>>>
>>>> We have added the auth_schemes directive to address this and similar
>>>> problems. Unfortunately, the squid.conf renderer on the official site
>>>> does not include v5+ options, but you can see raw documentation at
>>>> https://github.com/squid-cache/squid/blob/710f160/src/cf.data.pre#L2139
>>
>>> That looks like it’s exactly what we need. So this will be a 5.x only
>>> feature?
>>
>> It is a v5+ feature (i.e. it is in v5 now and should be in v6, v7, etc.).
> 
> How far away in the future do you think is an official v5 release
> from now? Going by the git log it’s been in the making for quite
> a while.

There are a few criteria. The current stage of beta release is waiting
on there being no major bugs added by Version 5:

 <https://bugs.squid-cache.org/buglist.cgi?bug_id_type=anyexact&bug_severity=blocker&bug_severity=critical&bug_severity=major&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&columnlist=bug_severity%2Cversion%2Cop_sys%2Cshort_desc&f1=version&list_id=7846&o1=lessthaneq&o2=equals&order=version%20DESC%2Cbug_severity%2Cbug_id&product=Squid&query_format=advanced&v1=5&v2=unspecified>

The ones with Vers saying "5" are release blockers. Older ones are
wishlist as far as release goes.

After that we need at least half a beta release cycle with no new major
bugs being found.


> 
>> You can, of course, lobby Amos, the v4 maintainer, for making a policy
>> exception and officially including (a backport of) auth_schemes into v4.
>> Factory may even have a v4-based branch somewhere that we can resurrect
>> as a starting point for that backporting effort.
> 
> As a last resort, maybe. I’d rather see that effort invested in
> moving ahead with v5. ;)
> 

All assistance welcome. Since you are going to use the auth_schemes
feature working on <https://bugs.squid-cache.org/show_bug.cgi?id=4832>
should be a good mutual RoI.


Alternatively, <https://github.com/squid-cache/squid/pull/308> is needed
by Squid but original author no longer has interest in doing the polish
to pass our QA process.


Cheers,
Amos


More information about the squid-users mailing list