Search squid archive

Re: Authentication of non-standard methods

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12.12.2012 11:33, Trever L. Adams wrote:
Hello Everyone,

I am looking at Shibboleth. I have seen one example

(http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf)
for using it with Squid. I am afraid it makes no sense to me.

I am afraid I do not know much about Shibboleth yet. It has three
components for authentication, user, password, domain. It has to use
redirects, etc.

I see an easy way for this to work, but need help figuring it out.

If a user isn't authenticated, I need to send them to a url.


 acl bounce src all
 acl auth proxy_auth REQUIRED
 deny_info 307:http://example.com/ bounce
 http_access deny !auth bounce

... but see below...


How do I know if a user is authenticated? Well, it seems that this is
going to have to be passing the requesting client's ip address to a
program and get the response back if they are authenticated or not.

NOTE: user != IP address. Therefore user authentication doe not imply IP address is authenticated, particularly in HTTP where one client (IP address) can be presenting traffic from multiple users. Essentially stateful connection-based authentication and stateless HTTP do not mix well - as is constantly being 'discovered' by NTLM people.


It
would be nice if I could pass a user name, but I am not sure how to do this as this would require interaction with the browser and this should
be SSO.

The ACLs above pass the Proxy-Authenticate header to a helper program for authentication tests. That header contains username and security token, sometimes domain if the auth type uses domains.

SSO is a property of the *backend* accepting the credentials supplied by the client to Squid. SSO is simply the process of the backend accepting the same credentials from multiple services (Squid being one). It is no more different than a user signing up at two separate websites with identical username/password details and being able to login to both.



So, is it possible to do an auth_param to a special program that just
looks at the ip address? Have it return yes/no for if it is an
authenticated session?

No. auth_param is about verifying that the user is who they say they are. Cousin Bob arriving in Alices car ('from' IP address) does not verify that Bob == Alice, only that the vehicle is a car not a truck.

IP can at most be used as an authorization check to make some handling decision about the particular request. Authorization is done with external_acl_type helpers.



If no, then do a url_rewrite_access (I am assuming this is correct)?

redirector helper is one way to do it. But these must first accept the request for processing (http_access allow). It is more efficient to do the above ACLs I listed and alter the denial message sent by Squid into a 307 redirect message.

** redirectors like external ACL helpers, do not perform HTTP authentication. Just authorization.


Finally, is it possible to have multiple authentication algorithms?

When using Proxy-Authenticate: yes of course.

Some
of the users will be local and be able to do krb5/spnego. So, if at all possible, I would like to have the option of trying krb5, then spnego,
then Shibboleth.

I suggest you work along the lines of using an external_acl_type helper for Shibboleth. Since it is more about authorization of a request to be processed than authenticating that the source IP is a genuine user account.


You can use localnet ACL or a similar check for internal/external clients to skip or require the authentication with Negotiate/kerberos.


Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux