Hi again,
I have been looking for the same setup as you are (transparent
authentication proxy in a full linux environment, ie linux/firefox +
linux/heimdal kerberos + linux/squid) for some time already, and I
asked the same question a few month ago with the same answer (need of
a helper). So I have read this thread with much interest, and think I
may add a few bits of information here.
You have mentionned in a previous post that your firefox was doing
native KRB5 nego instead of SPNEGO/KRB5. It may go back to the
original implementation that can be found at
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html
: <quote>Since we don't have any SPNEGO implementation we are using
directly Kerberos implementation of GSS API". </quote> . I don't know
if spnego has been added since then.
I answer to my own question here. According to the tutorial
http://www.grolmsnet.de/kerbtut/ (Using mod_auth_kerb and Windows
2000/2003 as KDC), mod_auth_kerb can serve IE clients. So I guess it
must be able to handle SPNEGO.
Cheers,
Denis
The interesting bit is that the same people have developped an apache
authentication module corresponding to the mozilla negotiation
implementation (http://modauthkerb.sourceforge.net/index.html) .
Please correct me if I'm wrong, but a apache auth module and a squid
auth helper should be quite similar, shouldn't it? Current maintainer
of the apache kerberos auth module is Daniel Kouril, who is
working/studying in a Czesk university. He is working on the myproxy
project, whose goal is to ease the authentication/authorization
management using certificates, especially in grid computing
environement. I'll drop him an email to see if he is interested to
collaborate with the squid community.
Cheers,
Denis
Regards
Henrik
--
Denis Cardon
Tranquil IT Systems
10 rue du Docteur Bouchard
49400 Saumur
tel : +33 (0) 2.41.67.56.99
fax : +33 (0) 2.40.56.09.81
mob : +33 (0) 6 81 66 27 62
http://www.tranquil-it-systems.fr
