[squid-users] ident authentication problem
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 30 04:52:29 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry for this not being replied to earlier. Details inline below.
On 26/08/2014 2:25 p.m., James Harper wrote:
> I am using the latest 3.4 build and a config that looks like:
>
> ident_lookup_access allow localnet ident_lookup_access deny all
> ident_timeout 5 seconds
>
> acl password_required proxy_auth REQUIRED acl ident_required ident
> REQUIRED
>
> http_access allow localnet ident_required ident_unrestricted_group
> http_access allow localnet ident_required unrestricted_sites
> http_access_deny localnet ident_required
>
> http_access allow localnet password_required
> password_unrestricted_group http_access allow localnet
> password_required unrestricted_sites
>
> http_access_deny
>
> The idea is that ident will be used, and if ident can't be used,
> proxy auth (ntlm) will be used.
>
> The problem is that for users who ident successfully but are not in
> the ident_unrestricted_group / password_unrestricted_group (both
> the same windows group), they get a 407 response and a password
> prompt, instead of an access denied. I can work around this by
> putting:
>
> deny_info 403:ERR_ACCESS_DENIED ident_required
>
> just before the identd deny, but it seems like a hack.
>
> Am I doing something wrong or could this be a bug?
You seem to be expecting that ident_required will return false if
ident is not supplied
Try this instead:
acl login proxy_auth REQUIRED
acl ident ident REQUIRED
http_access deny !localnet
http_access allow unrestricted_sites
http_access deny ident !ident_unrestricted_group
http_access allow ident
http_access deny !login
http_access allow password_unrestricted_group
http_access deny all
>
> Also, are there any implementations of ident that are a bit more
> useful? Such a thing would: . have a single TCP connection between
> squid and the client (preferably client initiated), kept alive for
> a reasonable time . authenticate the identd server itself (identd
> is not really considered secure) . allow squid to specify all
> aspects of the connection (ident expects the lookup to come from
> the destination, which isn't true if you are doing transparent
> proxying, although easy to patch squid to fake the source)
>
IDENT is a protocol. It is what it was designed to be. It is *not* a
form of authentication in any way.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUUcQNAAoJELJo5wb/XPRj7CIH/0bSEnAgxKnDOCIwHvejBVOk
3/xnaExb62H5ujP+MoFRE2Kd35xaMSsGT7GjFC0a46OpU1SkO9zGzyqLeWCzrPTN
Pyf3b7sBon0pc37uU0IEm76mbJ6lARI3hoRYQiUVtPiwcOduQi1DAVfv1c+u8o5D
ivPoHPM1gLl3KJi2Vw0WleCafYgmm1eKJNLGVqkGX2c0DEpFs+UG4xSbiKi+82tP
vv1BybV7n5DoS3qwqTRikWe5h1Ar8Uc6gGs5vgMu//lZyxUb6BrrTQhqZOIwPnbz
5/5p0X56t2qrRn82D8UE+zdi1zlYfg/ZhZy3mYvkXCyO+y3HPW8qnvIzFGo0gWw=
=Y/kW
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list