[squid-users] Logging failed authentication attempts

[Andrey K]

Hello Amos,

Thank you for the idea to write a wrapper script.

As NTLM-helper returns "NA NT_STATUS_LOGON_FAILURE" during authentication
failed, I think it is also required to patch the squid sources to copy the
value of the user attribute, returned by the wrapper,
to auth_user_request->user()->username().
As I see, I need to modify the following functions:
Helper::Reply::finalize()  - add parsing of additional attributes in the
case when returned value is "NA  " ,
Auth::Ntlm/Negotiate::UserRequest::HandleReply() - add finding the "user"
attribute and copping it to the username:
auth_user_request->user()->username(userLabel) in the case of returned
Helper::Error;

By the way, what are these acronyms for (YR, KK, TT, AF, BH, NA, LD)?

Kind regards,
     Ankor.

вт, 31 янв. 2023 г. в 08:54, Amos Jeffries <squid3 at treenet.co.nz>:

> On 31/01/2023 6:13 pm, Andrey K wrote:
> > Amos,
> >
> > I understood: the helper.cc does not parse the KK-request and does not
> > know about the username. He can only get the username information from
> > the reply of the external helper. But since the external helper
> > returns only an error without a username, this information is missing
> > from the logs.
> >
> > Is there any other possibility to log username and source IP address
> > in such NTLM-failed authentication attempts?
>
> You could make a wrapper script that decodes the KK request and returns
> user=name along with the real helpers result.
> The problem is tat the credentials are known to be invalid at that
> point, so it may just be garbage instead of a username.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230131/bedf5d1a/attachment.htm>