Search squid archive

Re: squid and authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/08/2012 5:59 a.m., Eugene M. Zheganin wrote:
Hi.

I'm using squid for more than 10 years for now.
I wrote a couple of articles about it.

But there are still some basic things about it that I don't understand.
Or, I don't know, some things about proxy authentication.
I know I will look silly, but I still decided to ask.
I decided to ask here, not because I'm sure it's a squid issue (I guess it's not) but because I think you guys have answered a lot of stupid questions "why my authentication does'nt work".

So. I imagine I have set up some authentication schemes. Basic, NTLM, doesn't matter.

Yes it does. The model for thos two types of auth is *extremely* different, and affects things such as where credentials can be located, stored, or re-used. Which all have a great affect on the behaviour.


Imagine I have mozilla on some UNIX operating system. I launch it, I see that it's NTLM since it doesn't show the realm (and basic of course does) then I enter my credentials (I guess it's okay for unix, as mozilla on windows domain machine doesn't ask for it, so it must be some issue in NTLM/mozilla/samba or whatever), then it's okay until some point. But sooner or later Firefox (and Mozilla previously) will reask about my credentials. This happens a lot on UNIX OSes, and mostly with Mozilla. This happens though with Chrome, but not that often.

What is it ? How long the credentials do stay in squid's cache ?

There are several caches involved. The OS (where Basic vs NTLM matters), Mozillas, Squids credential cache (where Basic vs NTLM matters), and Squid helper lookup cache, any backend authentication system caches (PAM, SASL, LDAP, etc may use some).

As you can see the OS and Squid have scheme-specific limitations.

I know about 'credentialsttl' for basic scheme, but there's no such option for NTLM. I've read the RFC 2617 and I dumped the HTTP sessions of client browsers with my proxy, but I didn't find the answer on a question "why the authentication popup reappears" - the RFC says nothing about reasking or keeping the explicit cache. One more question - why the browser cannot simply and silently resend the authentication, - all the browsers I've seen show the authentication popup again, so I think this is some common approach and not the browser developer conspiracy.

They can. The popup is a browser GUI feature, there is no spec. It only means that Squid asked for credentials, and the browser did not know what to supply.

That might be because the browser has several options available and can't choose. Or that somehow it believes the ones its got wont work. Or that it cant find any.


The scheme-specific difference at the Squid end of the connection determine what happens there.

Making a request (new connection - no credentials given):
* NTLM credentials are requested from the browser and the multi-legged auth sequence started when it responds with stage-1 credentials. * Basic credentials a shared cache is used to only re-validate credentials after that credentialsttl timeout.

Making a request (new connection - WITH new credentials given):
* NTLM Squid checks the helper to verify the token and uses its output to determin whether to accept or continue the multi-legged auth sequence challenges.
 * Basic Squid checks the helper to verify the token.

After validation the credentials get stored by Squid:
* NTLM credentials are linked to a connection and last as long as that connection is alive. It is a form of caching, but without any fixed TTL. And does not permit TCP connection 1 to re-use credentials from connection 2 etc. * Basic credentials a shared cache of known credentials. Has a fixed TTL. Any request from any connection may replay trusted credentials and be accepted.

The browser is required to re-send the auth token on every request regardless of scheme: * NTLM checks that it is unchanged from what got attached to the connection. Aborts the connection with an auth re-challenge if it has. * Basic does a full validation (short-circuited by the Squid users cache). Performing an auth re-challenge if it is unknown credentials.

Each credentials has a TTL:
 * NTLM this is connection closure so they are just erased.
 * Basic re-validates the credentials token with the backend helper.
The client/browser is only informed (via auth challenge) if the credentials fail to validate at this point.

... well when its working properly anyway.

As you can see Squid only challenges until specific circumstances. One of these is happening when the browser logics end with a popup.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux