Re: When user removed from password file ncsa_auth, they are not reauthenticated

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

J Webster wrote:
> Does auth_param basic credentials_ttl have to be set in conjunction with 
> authenticate_cache_garbage_interval?
> The help files don't make it clear and they seem to both do the same 
> thing. ?confused?

TTL sets a maximum time the credentials are valid.

Garbage interval sets a minimum on how often they are checked. Every 
garbage interval credentials which have already passed their TTL are 
simply discarded.

Before garbage is run some credentials may be stored but not valid well 
past the TTL if they are not used. This is not a problem other than some 
minimal waste of memory until something causes them to be thrown out. 
Their next use will check the TTL and discard/replace as needed.

What you need is the smallest TTL reasonable given the churn in your 
users. This will set the maximum period after being blocked when users 
might still have access by username.

Amos

> --------------------------------------------------
> From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
> Sent: Sunday, August 16, 2009 1:24 AM
> To: "J Webster" <webster_jack@xxxxxxxxxxx>
> Cc: <squid-users@xxxxxxxxxxxxxxx>
> Subject: Re:  When user removed from password file 
> ncsa_auth, they are not reauthenticated
>
> > On Sat, 15 Aug 2009 16:18:32 +0100, "J Webster" 
> > <webster_jack@xxxxxxxxxxx>
> > wrote:
> > > When users are removed from an ncsa_auth style password file, squid does
> > > not
> > > seem to reauthenticate them.
> > > Even on a subsequent browser restart, they are re-authenticated but
> > > worse...it allows them into the proxy even though they are not now in 
> > > the
> >
> > > password file.
> > > Testing with a user not in the password file denies them properly.
> > > Is the old user cached somewhere?
> >
> > Yes in these places:
> > * in the authenticator sub-system (maybe)
> > * in Squid
> > * in the Browser
> >
> > Each has a timeout and all timeouts need to clear from the bottom up.
> >
> > The auth sub-systems I've seen caching have timeout in the order of a few
> > seconds to halt bursts, or in some daemons a restart/reconfigure is 
> > needed
> > when the auth system removal process is not used properly (ie editing
> > users.conf insteaad of using passwd utility).
> >
> > Squid defaults to 1 hour. This is probably what you have seen. Check the
> > squid.conf documentation for whatever unnamed version of Squid you are
> > using on how to change that.
> > http://www.squid-cache.org/Doc/config/
> >
> > Browser caches forever, until closed and restarted, or until Squid uses a
> > "deny" access control to tells it its wrong.
> >
> > Amos


--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13