Squid authentication
This is a discussion on Squid authentication within the Linux Networking forums, part of the Linux Forums category; Hello Guys, I am user of Squid2.2 and I have setup it to work with ncsa authentication schema. Now ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-06-2004
|
|||
|
|||
Squid authentication
Hello Guys,
I am user of Squid2.2 and I have setup it to work with ncsa authentication schema. Now I would like to change it, I donīt what the user type a login and password to access the internet, I want to validate the user through the login that he or she is using on the Windows and Unix systems. At my Company we have a mixed enviroment with UNIX-Solaris and PC-W2k systems. I donīt want the user spend his or her time trying to store another login/password. I was trying to setup the acl ident in squid , but I was not successuful. Please, can anyone give me any idea to setup it? Best Regards 
|
|
07-07-2004
|
|||
|
|||
|
Re: Squid authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.networking Fabricio Greco <fabricio.greco@edag.com.br> suggested: > Hello Guys, > I am user of Squid2.2 and I have setup it to work with ncsa > authentication schema. Now I would like to change it, I don?t what the > user type a login and password to access the internet, I want to > validate the user through the login that he or she is using on the > Windows and Unix systems. At my Company we have a mixed enviroment > with UNIX-Solaris and PC-W2k systems. > I don?t want the user spend his or her time trying to store another > login/password. Sounds like FAQ, "23.5 How do I use the Winbind authenticators?" http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 -- Michael Heiming (GPG-Key ID: 0xEDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFA6zGRAkPEju3Se5QRAqLUAJ0RZWqH97OTZaBXF9CKCI EWGoO9hACgzt5m gZLivWILKPPqG0tfHmAINgI= =sizG -----END PGP SIGNATURE-----
|
|
07-07-2004
|
|||
|
|||
|
GnuPGP (was: Re: Squid authentication)
On Tue, 6 Jul 2004 23:11:15 -0000, Michael Heiming <michael+USENET@www.heiming.de> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > Interesting. Perhaps one in ten thousand people on the Usenet have GnuPG installed and configured and know how to use it. Why is it so important to you that this miniscule minority be able to tell whether a post came from you or from someone forging your name? (A troll could easily forge your PGP sig sufficiently well to fool anyone without the program installed, after all...) Doesn't this tiny group of people that you are so concerned about know how to read news headers? Surely people don't forge your name often enough for that to become bothersome? I haven't seen anyone do it in months, and that was just a stupid troll whose forgeries were quite obvious from their comical content. No one thought they came from you. Before that, zip. <snip> Signed: (a mystified) AC
|
|
07-07-2004
|
|||
|
|||
|
Re: GnuPGP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 What is that annoying noise? How did that gnat get in here? Let me find my flyswatter.... - -- Lew Pitcher Master Codewright & JOAT-in-training | GPG public key available on request Registered Linux User #112576 (http://counter.li.org/) Slackware - Because I know what I'm doing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA61rdagVFX4UWr64RAoEdAKDX7EsgnyWJvLDmZV2T33 2S0fqk4gCffECq vgwRObp076hXTi4+phRXUa0= =pBUw -----END PGP SIGNATURE-----
|
|
07-07-2004
|
|||
|
|||
|
Re: GnuPGP
On Tue, 06 Jul 2004 22:07:25 -0400, Lew Pitcher <lpitcher@sympatico.ca> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What is that annoying noise? How did that gnat get in here? > Let me find my flyswatter.... > Another one of the very, very few other people that use PGP sigs on the Usenet. You don't need to worry about finding a flyswatter. You need to worry about where your BRAINS are. I mean, you apparently think we are impressed by your ability to clutter up your posts with what is essentially gibberish to 99.99% of people on the Usenet. Wow Lew! Can you actually install a computer program? Why don't you tell all of us peasants how that's done? ------------ Is this really YOU, or is it a troll? How could anyone tell? 99.99% of us don't have the software. (because it's stupid. I could install it in about 2 minutes if there was any point in it) Any troll could forge your PGP sig well enough to fool us. So what's the point? Just wanna be COOL huh? Set yourself apart from those of us who respect the Usenet enough not to clutter our posts with pointless crap? signed: (a still mystified) AC
|
|
07-07-2004
|
|||
|
|||
|
Re: GnuPGP
Alan Connor wrote:
> On Tue, 06 Jul 2004 22:07:25 -0400, Lew Pitcher <lpitcher@sympatico.ca> wrote: > >[snip] > > Any troll could forge your PGP sig well enough to fool us. > > So what's the point? > There is lots of point in using PGP (or GNU versions) for all sorts of reasons. It can be used to sign binding contracts within the EU. It can be useful for tracing email and for identifying sources. And here on Usenet... ok, you got me there. Why would anyone want to use it here?
|
|
07-07-2004
|
|||
|
|||
|
Re: Squid authentication
Michael Heiming <michael+USENET@www.heiming.de> wrote in message news:<j5orr1-c5v.ln1@news.heiming.de>...
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > In comp.os.linux.networking Fabricio Greco <fabricio.greco@edag.com.br> suggested: > > Hello Guys, > > I am user of Squid2.2 and I have setup it to work with ncsa > > authentication schema. Now I would like to change it, I don?t what the > > user type a login and password to access the internet, I want to > > validate the user through the login that he or she is using on the > > Windows and Unix systems. At my Company we have a mixed enviroment > > with UNIX-Solaris and PC-W2k systems. > > I don?t want the user spend his or her time trying to store another > > login/password. > > Sounds like FAQ, "23.5 How do I use the Winbind authenticators?" > > http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 > > -- > Michael Heiming (GPG-Key ID: 0xEDD27B94) > mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQFA6zGRAkPEju3Se5QRAqLUAJ0RZWqH97OTZaBXF9CKCI EWGoO9hACgzt5m > gZLivWILKPPqG0tfHmAINgI= > =sizG > -----END PGP SIGNATURE----- Michael, In this case I need an authentication schema. What I want is that squid discovery the users who is logged in the PC or UNIX and give permissions to him to access the internet. I am not sure if identd daemon works fine for windows and unix. So, in this case, it is not necessary to check passwords. Regards
|
|
07-07-2004
|
|||
|
|||
|
Re: GnuPGP
["Followup-To:" header set to alt.os.linux.]
* Mark Preston wrote in alt.os.linux: > Alan Connor wrote: >> On Tue, 06 Jul 2004 22:07:25 -0400, Lew Pitcher <lpitcher@sympatico.ca> wrote: >>[snip] >> Any troll could forge your PGP sig well enough to fool us. >> So what's the point? > There is lots of point in using PGP (or GNU versions) for all sorts of > reasons. It can be used to sign binding contracts within the EU. It can > be useful for tracing email and for identifying sources. And here on > Usenet... ok, you got me there. Why would anyone want to use it here? Please, dont get him started. Add him to your killfile now, you wont be sorry. If he is too stupid to make slrn hide the PGP stuff as to not 'annoy' him then he desrves to be annoyed. -- David | AGM Favorites - http://tinyurl.com/loec Meekness: Uncommon patience in planning a revenge that is worth while. -- Ambrose Bierce
|
|
07-07-2004
|
|||
|
|||
|
Re: Squid authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message In comp.os.linux.networking Fabricio Greco <fabricio.greco@edag.com.br> suggested: > Michael Heiming <michael+USENET@www.heiming.de> wrote in message news:<j5orr1-c5v.ln1@news.heiming.de>... >> In comp.os.linux.networking Fabricio Greco <fabricio.greco@edag.com.br> suggested: [..] >> > I am user of Squid2.2 and I have setup it to work with ncsa >> > authentication schema. Now I would like to change it, I don?t what the >> > user type a login and password to access the internet, I want to >> > validate the user through the login that he or she is using on the >> > Windows and Unix systems. At my Company we have a mixed enviroment >> > with UNIX-Solaris and PC-W2k systems. [..] >> Sounds like FAQ, "23.5 How do I use the Winbind authenticators?" >> >> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 [..] > In this case I need an authentication schema. What I want is that > squid discovery the users who is logged in the PC or UNIX and give > permissions to him to access the internet. I am not sure if identd > daemon works fine for windows and unix. So, in this case, it is not > necessary to check passwords. It shouldn't once the user has authenticated against a PDC or alike. Unsure what you really want or if you understand the given URL? -- Michael Heiming (GPG-Key ID: 0xEDD27B94) mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFA7AdQAkPEju3Se5QRAqz0AJ9tEkNOL2qmigvVZPuxny zZawD5ZwCfQofw fvcT15O8ZlJt9Cq/Th7eXJI= =SUCU -----END PGP SIGNATURE-----
|
|
07-07-2004
|
|||
|
|||
|
Re: Squid authentication
On 6 Jul 2004 12:13:58 -0700, Fabricio Greco <fabricio.greco@edag.com.br> wrote:
> Hello Guys, > I am user of Squid2.2 and I have setup it to work with ncsa > authentication schema. Now I would like to change it, I donīt what the > user type a login and password to access the internet, I want to > validate the user through the login that he or she is using on the > Windows and Unix systems. At my Company we have a mixed enviroment > with UNIX-Solaris and PC-W2k systems. > I donīt want the user spend his or her time trying to store another > login/password. > I was trying to setup the acl ident in squid , but I was not > successuful. > Please, can anyone give me any idea to setup it? We use a Python script that queries our IMAP server to get its authentication info. Works great for us. Here the entries in our squid.conf for authentication: === auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic program /usr/local/bin/squidauth.py === And here's the script we use: === #!/usr/bin/env python from imaplib import IMAP4 import sys #IMAP server against which we authenticate server="imap.cs.earlham.edu" #Port number for IMAP server. Usually 143 port=143 #Below here you shouldn't need to edit anything while 1: #Read user and password from stdin, remove the newline, split at the space #and assign to the user and password variables line=sys.stdin.readline()[:-1] [user,password]=line.split(' ') #Connect to the IMAP server p=IMAP4(server,port) #Try to authenticate. If it doesn't work, it throws an exception try: p.login(user,password) except: #If it threw an exception, log in cache.log the auth booboo sys.stderr.write("ERR authenticating %s\n"%user) #Then deny access sys.stdout.write("ERR\n") #IMPORTANT!!!!!!!!!!!! Flush stdout sys.stdout.flush() continue #If it didn't throw exceptions, that means it authenticated #Log success to cache.log sys.stderr.write("OK authenticated %s\n"%user) #Then allow access sys.stdout.write("OK\n") sys.stdout.flush() === You'll just have to change the IMAP server to your own IMAP server, and you're good to go. -- -- Skylar Thompson (skylar@cs.earlham.edu) -- http://www.cs.earlham.edu/~skylar/
|
Linear Mode
