-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/09/2014 10:02 p.m., James Harper wrote: > I mentioned at the tail of another email, I'd like to see a better > out-of-band authentication protocol than ident. Such a protocol > would have: > > . a single connection from squid over which all identification > requests travel. Not one connection per request as with ident. . > two way authentication (psk or certificate) . encryption (tls) . > full connection description (src ip, src port, dst ip, dst port) so > that interception proxy works (ident only exchanges port numbers) . > optional reverse connection (client connects to squid rather than > squid connecting to client - only useful for a single proxy server > but means no firewall exceptions on the client) . probably still > use port 113 (not that it really matters...) > > Does such a thing exist already? The "external" ACL type runs a (or several) helper programs on persistent connections which perform arbitrary out-of-band operations and return to Squid the authorization approval to allow/deny the transaction. There is Negotiate authentication. The security tokens are setup out-of-band and used securely in-band. I also have a patch implementing OAuth 2.0 Bearer authentication for Squid. Although it needs some polishing and clients supporting proxy-auth Bearer seem to be a rarity still. Sponsorship welcome to get those final steps completed. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUBb55AAoJELJo5wb/XPRjQjUIAL9JK6YCo/2q7a0fQAgLL5qi ZyKiSaTAaBj5vr2AQQTrrUs2KLrKvt0rEr+EIPXja2ZFArlDkCYbIGCkNC7VuSuI Ftwa6LJaTq5vuMWn3ih4s00pERKjviSUesxlDJzQZwjNqJtiP69uxbo8EBsGTLVQ Qs83D8RwNmAi6XyM6U7M6hMYRUZksD9t4WLAfmD5Q+ivDnw5ehIlig6XOPHYnBHM ObpNaGZ6ZPliK65+FO4fAP+zW6meLPo/Zv2lMOvpjFvVdTb1vH48zqOVr57EAy4a WlIm8oiAu09VLFNA0Lmry/hs8+qk0fsNNEDx2fFHfFnHULzXFab2FwpSvmfsS3U= =6RCw -----END PGP SIGNATURE-----
