[squid-dev] [PATCH] add support for using an existing kerberos cache instead of a keytab

aymericvincent at free.fr aymericvincent at free.fr
Thu Oct 22 13:30:47 UTC 2015


    Hi,

the attached patch adds a NOKEYTAB option to the login=NEGOTIATE case (a local proxy needs to authenticate via kerberos to a proxy peer).

When specified, this option prevents squid from crafting a kerberos credentials cache from a keytab, but instead lets GSSAPI use an existing credentials cache.

This is very useful to allow a normal user to use his user credentials to run a local unprivileged squid on his desktop/laptop without having to deploy a keytab on the (say) parent proxy.

The way the option is specified is IMHO sub-optimal (sorry) but minimises diff footprint, and I'm open to any suggestion if you're interested in incorporating this simple yet useful change.

Best regards,
 Aymeric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff-squid-negotiate-nokeytab
Type: text/x-patch
Size: 4642 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20151022/e10f2a9d/attachment.bin>


More information about the squid-dev mailing list