Vivek Varghese Cherian wrote:
Hi, My client has a requirement where he would like to ensure that a user authorized to squid should be able to access the internet from only one I.P Address. Her requirement is that even if one of her users shares her password with the second user, the second should not be able to login except from the first user's machine, not even on the second user's machine or any other machine in the network for that matter. The client has around 1000 users in her organization who frequently share their user names and password with other users. Any pointers/urls in this direction would be most welcome. If this question has been answered previously in this mailing list, a pointer in that direction would suffice. Thanks in advance. Regards,
I see you are faced with the major job dealing with a seriously dangerous habit amongst your users.
The only real solution is education. The users must be taught not to share access privileges. This is going to take some work and probably a fair amount of time as well.
You will need a plan of attack on the problem and support from your organizations management to make this fully work. The management will need to make policies prohibiting credentials being shared and outline some consequences if they are.
A) The easy initial catch is to use a max_user_ip type ACL which detects multiple-IPs using the same credentials. A deny_info splash page for that ACL can be used to inform the users that their offence has been caught and re-inforce the organization policies. This can be fooled in circumstances where DHCP dynamically assigns IPs, or NAT hides whole groups of users.
B) As Jeff pointed out the arp type ACL can go beyond IP address and detect individual machines network cards. This can fail if the network has any routers between the users and Squid. And may require organization-wide proxy-ARP protocol to be implemented.
C) The other way is to create a database matching user logins to the IP address the user is assigned. Create a external_acl_type script to take %LOGIN %SRC parameters and lookup the database for a matching pair. Returning OK/ERR about whether the request is allowed or not. This can be fooled by NAT, or users setting their IP manually or relaying requests through a box which does either for them.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.1
