Once you know what the market offers and their equivalent costs you will = probably understand what you want and what you can afford to invest in the development process of = each part of setup. =20 All The Bests, Eliezer =20 ---- Eliezer Croitoru NgTech, Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx <mailto:ngtech1ltd@xxxxxxxxx>=20 =20 From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf = Of David Touzeau Sent: Friday, February 11, 2022 17:03 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Squid plugin sponsor =20 Hello Thank you but this is not the objective and this is the reason for = needing the "fake". Access to Kerberos or NTLM ports of the AD, is not possible. An LDAP = server would be present with accounts replication. The idea is to do a silent authentication without joining the AD=20 We did not need the double user/password credential, only the user sent = by the browser is required If the user has an Active Directory session then his account is = automatically sent without him having to take any action. If the user is in a workgroup then the account sent will not be in the = LDAP database and will be rejected. I don't need to argue about the security value of this method. It saves = us from setting up a gas factory to make a kind of HotSpot Le 11/02/2022 =C3=A0 05:55, Dieter Bloms a =C3=A9crit : Hello David, =20 for me it looks like you want to use kerberos authentication. With kerberos authentication the user don't have to authenticate against the proxy. The authentication is done in the background. =20 Mayb this link will help: =20 https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos =20 On Thu, Feb 10, David Touzeau wrote: =20 Hi =20 What we are looking for is to retrieve a "user" token without having to = ask anything from the user. That's why we're looking at Active Directory credentials. Once the user account is retrieved, a helper would be in charge of = checking if the user exists in the LDAP database. This is to avoid any connection to an Active Directory Maybe this is impossible =20 =20 Le 10/02/2022 =C3=A0 05:03, Amos Jeffries a =C3=A9crit : On 10/02/22 01:43, David Touzeau wrote: Hi =20 I would like to sponsor the improvement of ntlm_fake_auth to support new protocols =20 ntlm_* helpers are specific to NTLM authentication. All LanManager (LM) protocols should already be supported as well as currently possible. NTLM is formally discontinued by MS and *very* inefficient. =20 NP: NTLMv2 with encryption does not *work* because that encryption step requires secret keys the proxy is not able to know. =20 or go further produce a new negotiate_kerberos_auth_fake =20 =20 With current Squid this helper only needs to produce an "OK" response regardless of the input. The basic_auth_fake does that. =20 Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx = <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>=20 http://lists.squid-cache.org/listinfo/squid-users =20 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx = <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx>=20 http://lists.squid-cache.org/listinfo/squid-users =20 =20 =20 ------=_NextPart_000_001B_01D81FE1.FE9FFC70 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; = xmlns=3D"http://www.w3.org/TR/REC-html40";><head><meta = http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta = name=3DGenerator content=3D"Microsoft Word 15 (filtered = medium)"><style><!-- /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Consolas; panose-1:2 11 6 9 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; font-size:11.0pt; font-family:"Calibri",sans-serif; color:#464646;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} pre {mso-style-priority:99; mso-style-link:"HTML Preformatted Char"; margin:0in; margin-bottom:.0001pt; font-size:10.0pt; font-family:"Courier New",serif; color:#464646;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; font-size:11.0pt; font-family:"Calibri",sans-serif; color:#464646;} span.HTMLPreformattedChar {mso-style-name:"HTML Preformatted Char"; mso-style-priority:99; mso-style-link:"HTML Preformatted"; font-family:Consolas; color:#464646;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:"Calibri",sans-serif; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} /* List Definitions */ @list l0 {mso-list-id:459612849; mso-list-type:hybrid; mso-list-template-ids:1073793258 557760372 67698691 67698693 67698689 = 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 {mso-level-start-at:0; mso-level-number-format:bullet; mso-level-text:=EF=82=B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol; mso-fareast-font-family:Calibri; mso-bidi-font-family:Arial;} @list l0:level2 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New",serif;} @list l0:level3 {mso-level-number-format:bullet; mso-level-text:=EF=82=A7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level4 {mso-level-number-format:bullet; mso-level-text:=EF=82=B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level5 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New",serif;} @list l0:level6 {mso-level-number-format:bullet; mso-level-text:=EF=82=A7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} @list l0:level7 {mso-level-number-format:bullet; mso-level-text:=EF=82=B7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} @list l0:level8 {mso-level-number-format:bullet; mso-level-text:o; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:"Courier New",serif;} @list l0:level9 {mso-level-number-format:bullet; mso-level-text:=EF=82=A7; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Wingdings;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --></style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--></head><body bgcolor=3Dwhite = lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'word-wrap:break-word'><div class=3DWordSection1><p = class=3DMsoNormal><span style=3D'color:windowtext'>Hey = David,<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>The general name of = this concept is SSO service.<o:p></o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>It can have single or = multiple backends.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>The main question is how to implement the = solution in the optimal way possible.<br>(taking into account money, = coding complexity and other humane parts)<o:p></o:p></span></p><p = class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>You will need to = authenticate the client against the main AUTH = service.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>There is a definitive way or statistical way = to implement this solution.<o:p></o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>With AD or Kerberos = it=E2=80=99s possible to implement the solution in such a way that = windows will<br>=E2=80=9Ctransparently=E2=80=9D authenticate to the = proxy service.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>However you must understand that all of this = requires an infrastructure that will provide every piece of the = setup.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>If your setup doesn=E2=80=99t contains RDP = like servers then it=E2=80=99s possible that you can authenticate a user = with an IP compared<br>to pinning every connection to a specific = user.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>Also, the =E2=80=9Ccost=E2=80=9D of = non-transparent authentication is that the user will be required to = enter (manually or automatically) <br>the username and the = password.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>An HotSpot like setup is called = =E2=80=9CCaptive Portal=E2=80=9D and it=E2=80=99s a very simple setup to = implement with active directory.<o:p></o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>It=E2=80=99s also = possible to implement a transparent authentication for such a setup = based on session tokens.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>You actually = don=E2=80=99t need to create a =E2=80=9Cfake=E2=80=9D helper for such a = setup but you can create one that is based on = Linux.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>It=E2=80=99s an =E2=80=9CAdvanced=E2=80=9D = topic but if you do ask me it=E2=80=99s possible that you can take this = in steps.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>The first step would be to use a session = helper that will authenticate the user and will identify the = user<br>based on it=E2=80=99s IP address.<o:p></o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>If it=E2=80=99s a = wireless setup you can use a radius based authentication ( can also be = implemented on a wired setup).<o:p></o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>Once you will = authenticate the client transparently or in another way you can limit = the usage of the username to<br>a specific client and with that comes a = guaranteed situation that a username will not be used from two = sources.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>I don=E2=80=99t know about your experience = but the usage of a captive portal is very common In such = situations.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>The other option is to create an agent in the = client side that will identify the user against the proxy/auth = service<br>and it will create a situation which an authorization will be = acquired based on some degree of authentication.<o:p></o:p></span></p><p = class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>In most SSO = environments it=E2=80=99s possible that per request/domain/other there = is a transparent validation.<o:p></o:p></span></p><p = class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>In all the above = scenarios which requires authentication the right way to do it would be = to use the proxy as<br>a configured proxy compared to = transparent.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>I believe that one thing to consider is that = once you authenticate against a RADIUS service you would = just<br>minimize the user interaction.<o:p></o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>The main point from = what I understand is to actually minimize the authentication steps of = the client.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>My suggestion for you = is to first try and asses the complexity of a session helper, raidus and = captive portal.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>These are steps that you will need to do in = order to asses the necessity of transparent SSO.<o:p></o:p></span></p><p = class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>Also take your time = to compare how a captive portal is configured in the next general = products:<o:p></o:p></span></p><ul style=3D'margin-top:0in' = type=3Ddisc><li class=3DMsoListParagraph = style=3D'color:windowtext;margin-left:0in;mso-list:l0 level1 lfo1'>Palo = Alto<o:p></o:p></li><li class=3DMsoListParagraph = style=3D'color:windowtext;margin-left:0in;mso-list:l0 level1 = lfo1'>FortiGate<o:p></o:p></li><li class=3DMsoListParagraph = style=3D'color:windowtext;margin-left:0in;mso-list:l0 level1 = lfo1'>Untangle<o:p></o:p></li><li class=3DMsoListParagraph = style=3D'color:windowtext;margin-left:0in;mso-list:l0 level1 = lfo1'>Others<o:p></o:p></li></ul><p class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>From the = documentation you would see the different ways and = =E2=80=9Cgrades=E2=80=9D that they implement the = solutions.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>Once you know what the market offers and = their equivalent costs you will probably understand what<br>you want and = what you can afford to invest in the development process of each part of = setup.<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>All The = Bests,<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>Eliezer<o:p></o:p></span></p><p = class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><div><p = class=3DMsoNormal><span = style=3D'color:windowtext'>----<o:p></o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>Eliezer = Croitoru<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>NgTech, Tech Support<o:p></o:p></span></p><p = class=3DMsoNormal><span style=3D'color:windowtext'>Mobile: = +972-5-28704261<o:p></o:p></span></p><p class=3DMsoNormal><span = style=3D'color:windowtext'>Email: <a = href=3D"mailto:ngtech1ltd@xxxxxxxxx";>ngtech1ltd@xxxxxxxxx</a><o:p></o:p><= /span></p></div><p class=3DMsoNormal><span = style=3D'color:windowtext'><o:p> </o:p></span></p><div><div = style=3D'border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in = 0in 0in'><p class=3DMsoNormal><b><span = style=3D'color:windowtext'>From:</span></b><span = style=3D'color:windowtext'> squid-users = <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <b>On Behalf Of = </b>David Touzeau<br><b>Sent:</b> Friday, February 11, 2022 = 17:03<br><b>To:</b> squid-users@xxxxxxxxxxxxxxxxxxxxx<br><b>Subject:</b> = Re: Squid plugin = sponsor<o:p></o:p></span></p></div></div><p = class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal = style=3D'margin-bottom:12.0pt'><span = style=3D'font-family:"Arial",sans-serif'>Hello<br><br>Thank you but this = is not the objective and this is the reason for needing the = "fake".<br>Access to Kerberos or NTLM ports of the AD, is not = possible. An LDAP server would be present with accounts = replication.<br>The idea is to do a silent authentication without = joining the AD <br>We did not need the double user/password credential, = only the user sent by the browser is required<br><br>If the user has an = Active Directory session then his account is automatically sent without = him having to take any action.<br>If the user is in a workgroup then the = account sent will not be in the LDAP database and will be rejected.<br>I = don't need to argue about the security value of this method. It saves us = from setting up a gas factory to make a kind of = HotSpot</span><o:p></o:p></p><div><p class=3DMsoNormal>Le 11/02/2022 = =C3=A0 05:55, Dieter Bloms a = =C3=A9crit :<o:p></o:p></p></div><blockquote = style=3D'margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hello = David,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>for me it looks = like you want to use kerberos authentication.<o:p></o:p></pre><pre>With = kerberos authentication the user don't have to authenticate = against<o:p></o:p></pre><pre>the proxy. The authentication is done in = the background.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Mayb = this link will help:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><a = href=3D"https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos= ">https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos</a><o= :p></o:p></pre><pre><o:p> </o:p></pre><pre>On Thu, Feb 10, David = Touzeau wrote:<o:p></o:p></pre><pre><o:p> </o:p></pre><blockquote = style=3D'margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hi<o:p></o:p></pre><p= re><o:p> </o:p></pre><pre>What we are looking for is to retrieve a = "user" token without having to = ask<o:p></o:p></pre><pre>anything from the = user.<o:p></o:p></pre><pre>That's why we're looking at Active Directory = credentials.<o:p></o:p></pre><pre>Once the user account is retrieved, a = helper would be in charge of checking<o:p></o:p></pre><pre>if the user = exists in the LDAP database.<o:p></o:p></pre><pre>This is to avoid any = connection to an Active Directory<o:p></o:p></pre><pre>Maybe this is = impossible<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </= o:p></pre><pre>Le 10/02/2022 =C3=A0 05:03, Amos Jeffries a = =C3=A9crit :<o:p></o:p></pre><blockquote = style=3D'margin-top:5.0pt;margin-bottom:5.0pt'><pre>On 10/02/22 01:43, = David Touzeau wrote:<o:p></o:p></pre><blockquote = style=3D'margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hi<o:p></o:p></pre><p= re><o:p> </o:p></pre><pre>I would like to sponsor the improvement = of ntlm_fake_auth to support<o:p></o:p></pre><pre>new = protocols<o:p></o:p></pre></blockquote><pre><o:p> </o:p></pre><pre>n= tlm_* helpers are specific to NTLM authentication. All LanManager = (LM)<o:p></o:p></pre><pre>protocols should already be supported as well = as currently possible.<o:p></o:p></pre><pre>NTLM is formally = discontinued by MS and *very* = inefficient.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>NP: NTLMv2 = with encryption does not *work* because that encryption = step<o:p></o:p></pre><pre>requires secret keys the proxy is not able to = know.<o:p></o:p></pre><pre><o:p> </o:p></pre><blockquote = style=3D'margin-top:5.0pt;margin-bottom:5.0pt'><pre>or go further = produce a new = negotiate_kerberos_auth_fake<o:p></o:p></pre><pre><o:p> </o:p></pre>= </blockquote><pre><o:p> </o:p></pre><pre>With current Squid this = helper only needs to produce an "OK" = response<o:p></o:p></pre><pre>regardless of the input. The = basic_auth_fake does = that.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Amos<o:p></o:p></p= re><pre>_______________________________________________<o:p></o:p></pre><= pre>squid-users mailing list<o:p></o:p></pre><pre><a = href=3D"mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx";>squid-users@lists.squid= -cache.org</a><o:p></o:p></pre><pre><a = href=3D"http://lists.squid-cache.org/listinfo/squid-users";>http://lists.s= quid-cache.org/listinfo/squid-users</a><o:p></o:p></pre></blockquote></bl= ockquote><pre><o:p> </o:p></pre><blockquote = style=3D'margin-top:5.0pt;margin-bottom:5.0pt'><pre>_____________________= __________________________<o:p></o:p></pre><pre>squid-users mailing = list<o:p></o:p></pre><pre><a = href=3D"mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx";>squid-users@lists.squid= -cache.org</a><o:p></o:p></pre><pre><a = href=3D"http://lists.squid-cache.org/listinfo/squid-users";>http://lists.s= quid-cache.org/listinfo/squid-users</a><o:p></o:p></pre></blockquote><pre= ><o:p> </o:p></pre><pre><o:p> </o:p></pre></blockquote><p = class=3DMsoNormal><o:p> </o:p></p></div></body></html> ------=_NextPart_000_001B_01D81FE1.FE9FFC70-- --===============2701667059146726329== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users --===============2701667059146726329==--
