On Tue, 20 Sep 2011 22:15:29 +0300, Nikolaos Milas wrote:
On 20/9/2011 4:53 μμ, Luis Daniel Lucio Quiroz wrote:
...
There are 3 more way and you shall evaluate what fits the best for
you.
a) you may use Kerberos auth, many browsers suppor it right now.
b) you may use NTLM2 auth, helper is available at samba package
c) you may relay secure auth with radius+https, after auth sucessful
with a browser that client ip shall surf
Thank you, Luis.
So, the solution with certificates would not work? I read about it
here:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Client-Certificate-Authentication-td3353759.html
Now that I re-read it (cause it's long), I come to the conclusion
that certificate-authentication wouldn't/shouldn't work without SSL,
so it seems stunnel (for example, or other similar solutions as
discussed on that thread) would still be needed. Configuration
details
for certificate-based authentication would still be interesting, if
available anywhere.
Correct. The certificate is itself the secure "token" equivalent of
password. SSL handshake is the auth process.
In theory HTTP can support a certificate based auth scheme. However
nobody has yet written any specifications describing one so no software
support for it outside of SSL/TLS interactions.
I guess I'll now try Squid with Kerberos auth...
Nick
Amos
