[squid-users] ident authentication problem

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry for this not being replied to earlier. Details inline below.

On 26/08/2014 2:25 p.m., James Harper wrote:
> I am using the latest 3.4 build and a config that looks like:
> 
> ident_lookup_access allow localnet ident_lookup_access deny all 
> ident_timeout 5 seconds
> 
> acl password_required proxy_auth REQUIRED acl ident_required ident
> REQUIRED
> 
> http_access allow localnet ident_required ident_unrestricted_group 
> http_access allow localnet ident_required unrestricted_sites 
> http_access_deny localnet ident_required
> 
> http_access allow localnet password_required
> password_unrestricted_group http_access allow localnet
> password_required unrestricted_sites
> 
> http_access_deny
> 
> The idea is that ident will be used, and if ident can't be used,
> proxy auth (ntlm) will be used.
> 
> The problem is that for users who ident successfully but are not in
> the ident_unrestricted_group / password_unrestricted_group (both
> the same windows group), they get a 407 response and a password
> prompt, instead of an access denied. I can work around this by
> putting:
> 
> deny_info 403:ERR_ACCESS_DENIED ident_required
> 
> just before the identd deny, but it seems like a hack.
> 
> Am I doing something wrong or could this be a bug?

You seem to be expecting that ident_required will return false if
ident is not supplied

Try this instead:

 acl login proxy_auth REQUIRED
 acl ident ident REQUIRED

 http_access deny !localnet
 http_access allow unrestricted_sites

 http_access deny ident !ident_unrestricted_group
 http_access allow ident

 http_access deny !login
 http_access allow password_unrestricted_group

 http_access deny all


> 
> Also, are there any implementations of ident that are a bit more
> useful? Such a thing would: . have a single TCP connection between
> squid and the client (preferably client initiated), kept alive for
> a reasonable time . authenticate the identd server itself (identd
> is not really considered secure) . allow squid to specify all
> aspects of the connection (ident expects the lookup to come from
> the destination, which isn't true if you are doing transparent
> proxying, although easy to patch squid to fake the source)
> 


IDENT is a protocol. It is what it was designed to be. It is *not* a
form of authentication in any way.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUUcQNAAoJELJo5wb/XPRj7CIH/0bSEnAgxKnDOCIwHvejBVOk
3/xnaExb62H5ujP+MoFRE2Kd35xaMSsGT7GjFC0a46OpU1SkO9zGzyqLeWCzrPTN
Pyf3b7sBon0pc37uU0IEm76mbJ6lARI3hoRYQiUVtPiwcOduQi1DAVfv1c+u8o5D
ivPoHPM1gLl3KJi2Vw0WleCafYgmm1eKJNLGVqkGX2c0DEpFs+UG4xSbiKi+82tP
vv1BybV7n5DoS3qwqTRikWe5h1Ar8Uc6gGs5vgMu//lZyxUb6BrrTQhqZOIwPnbz
5/5p0X56t2qrRn82D8UE+zdi1zlYfg/ZhZy3mYvkXCyO+y3HPW8qnvIzFGo0gWw=
=Y/kW
-----END PGP SIGNATURE-----