Re: writing my own authenticator

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

paul cooper wrote:
> so ip_user wont actually do what i want ( the book isnt clear actually
> what it is there for)  - thanks Henrik
>
> what i want is to get  the currently logged-in user and pass it to squid
> which will then authenticate against that with no further dialog boxes etc
>  . i can then add eg time-based ACLs

I think you have confused purpose and nature of Authentication.
It's usually done by the browser when requesting web pages.

The standard methods use various authentication headers the browser 
passes to squid containing a user/pass.
Non-standard methods involve squid pulling various details like IP 
address and authenticating based on them instead of user/pass.

All any of the methods do is pass squid an OK/ERR result after 
authenticating to say the request can/not go through.

> So i thought id try my own. eventually i suspect i'll use gewtpwuid() and
> look up in /etc/passwd.
>
> #!/usr/bin/perl -wl
> $|=1;
>  my @names=("andrew","anne","nick","emma");
> my $username = `whoami` or die "Couldn't execute command: $!";
>    chomp($username);
> open (F, '>/tmp/data.txt');
> print F "$username\n";
> close (F);
> my $i=0;
> while ($i<$#names)
> {
> if ($names[$i] eq $username){print "OK user=$username";exit;}
> $i++;
> }
> print "ERR";
>
>
> and this returns  the current user and writes it to the file.

I'd suggest a test version that accepts anything squid sends, logs it 
exactly and says 'OK/ERR' randomly.

Run it for a while to see exactly what you can get from squid and design 
based on that.


Amos

> my squid.conf
>
> hepworth andrew # cat /etc/squid/squid.conf |grep ^acl
> acl all src 0.0.0.0/0.0.0.0
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl annes external MyAclHelper
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
> hepworth andrew # cat /etc/squid/squid.conf |grep ^http
> http_access Safe_ports allow
> http_access allow annes
> http_access deny all
> http_port 3128
> hepworth andrew # cat /etc/squid/squid.conf |grep ^external
> external_acl_type MyAclHelper /etc/squid/myaclhelper
> hepworth andrew #
>
> do i need an auth_param directive as well ? if so what ?
>
> so when i request a web page it asks me for a username and password  and
> myaclhelper doesnt write the text file. Should it be  doing the
> 2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
>  line ?
>
>
> hepworth squid # /usr/local/squid/sbin/squid -N -d6
> 2008/03/21 12:00:16| Starting Squid Cache version 2.6.STABLE18 for
> i686-pc-linux-gnu...
> 2008/03/21 12:00:16| Process ID 19869
> 2008/03/21 12:00:16| With 1024 file descriptors available
> 2008/03/21 12:00:16| Using epoll for the IO loop
> 2008/03/21 12:00:16| Performing DNS Tests...
> 2008/03/21 12:00:16| Successful DNS name lookup tests...
> 2008/03/21 12:00:16| DNS Socket created at 0.0.0.0, port 32860, FD 6
> 2008/03/21 12:00:16| Adding domain home.nw from /etc/resolv.conf
> 2008/03/21 12:00:16| Adding nameserver 192.168.0.254 from /etc/resolv.conf
> 2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
> 2008/03/21 12:00:16| Unlinkd pipe opened on FD 17
> 2008/03/21 12:00:16| Swap maxSize 102400 KB, estimated 7876 objects
> 2008/03/21 12:00:16| Target number of buckets: 393
> 2008/03/21 12:00:16| Using 8192 Store buckets
> 2008/03/21 12:00:16| Max Mem  size: 8192 KB
> 2008/03/21 12:00:16| Max Swap size: 102400 KB
> 2008/03/21 12:00:16| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
> 2008/03/21 12:00:16| Using Least Load store dir selection
> 2008/03/21 12:00:16| Current Directory is /etc/squid
> 2008/03/21 12:00:16| Loaded Icons.
> 2008/03/21 12:00:16| Accepting proxy HTTP connections at 0.0.0.0, port
> 3128, FD 19.
> 2008/03/21 12:00:16| Accepting ICP messages at 0.0.0.0, port 3130, FD 20.
> 2008/03/21 12:00:16| WCCP Disabled.
> 2008/03/21 12:00:16| Ready to serve requests.
> 2008/03/21 12:00:17| Done reading /usr/local/squid/var/cache swaplog (688
> entries)
> 2008/03/21 12:00:17| Finished rebuilding storage from disk.
> 2008/03/21 12:00:17|       688 Entries scanned
> 2008/03/21 12:00:17|         0 Invalid entries.
> 2008/03/21 12:00:17|         0 With invalid flags.
> 2008/03/21 12:00:17|       688 Objects loaded.
> 2008/03/21 12:00:17|         0 Objects expired.
> 2008/03/21 12:00:17|         0 Objects cancelled.
> 2008/03/21 12:00:17|         0 Duplicate URLs purged.
> 2008/03/21 12:00:17|         0 Swapfile clashes avoided.
> 2008/03/21 12:00:17|   Took 0.4 seconds (1801.4 objects/sec).
> 2008/03/21 12:00:17| Beginning Validation Procedure
> 2008/03/21 12:00:17|   Completed Validation Procedure
> 2008/03/21 12:00:17|   Validated 688 Entries
> 2008/03/21 12:00:17|   store_swap_size = 4320k
> 2008/03/21 12:00:17| storeLateRelease: released 0 objects


--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.