[squid-users] Kerberos authentication with multiple squids

Markus Moeller huaraz at moeller.plus.com
Sun Oct 17 16:46:25 UTC 2021


I see,  I think this would mean using Basic Auth to proxy1 which then gets a 
Kerberos ticket for the user to authenticate to proxy2.  This is possible, 
but I would not think it is a good secure option.

Regards
Markus

"Grant Taylor"  wrote in message 
news:a2070fca-07fd-9a67-3f23-551c1fe77288 at spamtrap.tnetconsulting.net...
On 10/16/21 1:31 PM, Markus Moeller wrote:
> I think you talk about a kdc proxy, which is for another case.

I don't think so.  I'm not talking about using a proxy to access the KDC.

I'm talking about using a component of the following scenario:

1)  Client uses traditional username and password to authenticate to an
IMAP server.
2)  IMAP server uses the provided credentials to request some sort of
ticket (I don't remember what type) on the user's behalf.
3)  IMAP server uses the ticket on the user's behalf to access the
user's messages stored on an NFS server.

I'm suggesting that the proxy1 (from the other message) do something on
the user's behalf to request a ticket for the user that proxy1 can then
use to authenticate as the user to proxy2.

It's been quite a while since I've read about this so I may be
completely wrong.  But I distinctly remember there was a way to have an
intermediate (e.g. IMAP) server accept username and password from
clients and access a backend file server on the client's behalf in such
a way that the backend server saw normal kerberized connections.



-- 
Grant. . . .
unix || die
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 




More information about the squid-users mailing list