File: FAQ-23.html

package info (click to toggle)
squid 2.6.5-6etch5
links: PTS
area: main
in suites: etch
size: 12,540 kB
ctags: 13,801
sloc: ansic: 105,278; sh: 6,083; makefile: 1,297; perl: 1,245; awk: 40
file content (513 lines) | stat: -rw-r--r-- 21,210 bytes
parent folder | download | duplicates (2)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>SQUID Frequently Asked Questions: Authentication</TITLE>
 <LINK HREF="FAQ-24.html" REL=next>
 <LINK HREF="FAQ-22.html" REL=previous>
 <LINK HREF="FAQ.html#toc23" REL=contents>
</HEAD>
<BODY>
<A HREF="FAQ-24.html">Next</A>
<A HREF="FAQ-22.html">Previous</A>
<A HREF="FAQ.html#toc23">Contents</A>
<HR>
<H2><A NAME="s23">23.</A> <A HREF="FAQ.html#toc23">Authentication</A></H2>

<H2><A NAME="ss23.1">23.1</A> <A HREF="FAQ.html#toc23.1">How does Proxy Authentication work in Squid?</A>
</H2>

<P><EM>Note: The information here is current for version 2.5.</EM></P>
<P>Users will be authenticated if squid is configured to use <EM>proxy_auth</EM>
ACLs (see next question).</P>
<P>Browsers send the user's authentication credentials in the
<EM>Authorization</EM> request header.</P>
<P>If Squid gets a request and the <EM>http_access</EM> rule list
gets to a <EM>proxy_auth</EM> ACL, Squid looks for the <EM>Authorization</EM>
header.  If the header is present, Squid decodes it and extracts
a username and password.</P>
<P>If the header is missing, Squid returns
an HTTP reply with status 407 (Proxy Authentication Required).
The user agent (browser) receives the 407 reply and then prompts
the user to enter a name and password.  The name and password are
encoded, and sent in the <EM>Authorization</EM> header for subsequent
requests to the proxy.</P>

<P><EM>NOTE</EM>: The name and password are encoded using ``base64''
(See section 11.1 of 
<A HREF="ftp://ftp.isi.edu/in-notes/rfc2616.txt">RFC 2616</A>).  However, base64 is a binary-to-text encoding only,
it does NOT encrypt the information it encodes.  This means that
the username and password are essentially ``cleartext'' between
the browser and the proxy.  Therefore, you probably should not use
the same username and password that you would use for your account login.</P>

<P>Authentication is actually performed outside of main Squid process.
When Squid starts, it spawns a number of authentication subprocesses.
These processes read usernames and passwords on stdin, and reply
with "OK" or "ERR" on stdout.  This technique allows you to use
a number of different authentication schemes, although currently
you can only use one scheme at a time.</P>
<P>The Squid source code comes with a few authentcation processes
for Basic authentication.
These include:
<UL>
<LI>LDAP: Uses the Lightweight Directory Access Protocol</LI>
<LI>NCSA: Uses an NCSA-style username and password file.</LI>
<LI>MSNT: Uses a Windows NT authentication domain.</LI>
<LI>PAM: Uses the Linux Pluggable Authentication Modules scheme.</LI>
<LI>SMB: Uses a SMB server like Windows NT or Samba. </LI>
<LI>getpwam: Uses the old-fashioned Unix password file.</LI>
<LI>sasl: Uses SALS libraries.</LI>
<LI>winbind: Uses Samba authenticate in a Windows NT domain</LI>
</UL>
</P>

<P>In addition Squid also supports the NTLM and Digest authentication schemes which
both provide more secure authentication methods where the password is not
exchanged in plain text. Each scheme have their own set of helpers and auth_param
settings. You can not mix helpers between the different authentication schemes.
For information on how to set up NTLM authentication see 
<A HREF="#winbind">winbind</A>
.</P>

<P>In order to authenticate users, you need to compile and install
one of the supplied authentication modules found in the
<EM>helpers/basic_auth/</EM> directory, one of
<A HREF="http://www.squid-cache.org/related-software.html#auth">the others</A>,
or supply your own.</P>

<P>You tell Squid which authentication program to use with the
<EM>auth_param</EM> option in squid.conf.  You specify 
the name of the program, plus any command line options if
necessary.  For example:
<PRE>
auth_param basic program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd
</PRE>
</P>



<H2><A NAME="ss23.2">23.2</A> <A HREF="FAQ.html#toc23.2">How do I use authentication in access controls?</A>
</H2>

<P>Make sure that your authentication program is installed
and working correctly.  You can test it by hand.</P>
<P>Add some <EM>proxy_auth</EM> ACL entries to your squid configuration.
For example:
<PRE>
acl foo proxy_auth REQUIRED
acl all src 0/0
http_access allow foo
http_access deny all
</PRE>

The REQURIED term means that any authenticated user will match the
ACL named <EM>foo</EM>.</P>
<P>Squid allows you to provide fine-grained controls
by specifying individual user names.  For example:
<PRE>
acl foo proxy_auth REQUIRED
acl bar proxy_auth lisa sarah frank joe
acl daytime time 08:00-17:00
acl all src 0/0
http_access allow bar
http_access allow foo daytime
http_access deny all
</PRE>

In this example, users named lisa, sarah, joe, and frank
are allowed to use the proxy at all times.  Other users
are allowed only during daytime hours.</P>

<H2><A NAME="ss23.3">23.3</A> <A HREF="FAQ.html#toc23.3">Does Squid cache authentication lookups?</A>
</H2>

<P>Yes.  Successful authentication lookups are cached for
one hour by default.  That means (in the worst case) its possible
for someone to keep using your cache up to an hour after he
has been removed from the authentication database.</P>
<P>You can control the expiration
time with the <EM>auth_param</EM> option.</P>

<P>Note: This has nothing to do with how often the user needs to re-authenticate
himself. It is the browser who maintains the session, and re-authentication
is a business between the user and his browser, not the browser and Squid.
The browser authenticates on behalf of the user on every request sent to Squid.
What this parameter controls is only how often Squid will ask the defined helper
if the password is still valid.</P>

<H2><A NAME="ss23.4">23.4</A> <A HREF="FAQ.html#toc23.4">Are passwords stored in clear text or encrypted?</A>
</H2>

<P>Squid stores cleartext passwords in itsmemory cache.</P>
<P>Squid writes cleartext usernames and passwords when talking to
the external authentication processes.  Note, however, that this 
interprocess communication occurs over TCP connections bound to
the loopback interface or private UNIX pipes.  Thus, its not possible
for processes on other computers or local users without root privileges
to "snoop" on the authentication traffic.</P>

<P>Each authentication program must select its own scheme for persistent
storage of passwords and usernames.</P>


<H2><A NAME="winbind"></A> <A NAME="ss23.5">23.5</A> <A HREF="FAQ.html#toc23.5">How do I use the Winbind authenticators?</A>
</H2>

<P>by
<A HREF="mailto: jmurdock at itraktech dot com">Jerry Murdock</A></P>

<P>Winbind is a recent addition to Samba providing some impressive 
capabilities for NT based user accounts.  From Squid's perspective winbind provides a 
robust and efficient engine for both basic and NTLM challenge/response authentication
against an NT domain controller.</P>
<P>The winbind authenticators have been used successfully under Linux, FreeBSD, Solaris and Tru64.</P>


<H3>Supported Samba Releases</H3>

<P>Samba-3.X is supported natively using the ntlm_auth helper shipped as part of Samba.
No Squid specific winbind helpers need to be compiled (and even if compiled they won't
work with Samba-3.X). Starting from Squid-2.5.STABLE5, NTLM NEGOTIATE packets are supported.
This feature, in conjunction with a NTLM NEGOTIATE capable helper like ntlm_auth, allow the
usage of NTLMv2 client autentication. At least Samba version 3.0.2 is needed for a working 
NTLM NEGOTIATE packet support, but Samba 3.0.21b or later is needed for full NTLMv2 support.</P>

<P>Samba-2.2.X is supported using the winbind helpers shipped with Squid, and uses an
internal Samba interface to communicate with the winbindd daemon. It is therefore sensitive
to any changes the Samba team may make to the interface.</P>
<P>NOTE: Samba 2.2.X reached its End-Of-Life on October 1, 2004.</P>

<P>The winbind helpers shipped with Squid-2.5.STABLE2 supports Samba-2.2.6 to Samba-2.2.7a
and hopefully later Samba-2.X versions. To use Squid-2.5.STABLE2 with Samba versions 2.2.5
or ealier the new --with-samba-sources=... configure option is required.
This may also be the case with Samba-2.2.X versions later than 2.2.7a or
if you have applied any winbind related patches to your Samba tree.</P>

<P>Squid-2.5.STABLE1 supported Samba 2.2.4 or 2.2.5 only. Use of
Squid-2.5.STABLE2 or later recommended with current Samba-2.X releases.</P>

<P>For Samba-3.X the winbind helpers shipped with Squid should not be used (and won't work
if your attempt to do so), instead the ntlm_auth helper shipped as part of the Samba-3
distribution should be used. This helper supports all versions of Squid and both the ntlm and
basic authentication schemes. For details on how to use this Samba helper see the Samba
documentation. For group membership lookups the wbinfo_group helper shipped
with Squid can be used (this is just a wrapper around the samba wbinfo program and works with
all versions of Samba)</P>

<H3>Configure Samba</H3>

<P>For full details on how to configure Samba and joining a domain please see the Samba
documentation. The Samba team has quite extensive documentation both on how to join
a NT domain and how to join a Active Directory tree.</P>

<P><B>Build/Install Samba-3.X</B></P>
<P>Samba must be built with these configure options:
<PRE>
        --with-winbind
</PRE>
</P>
<P>Then follow the Samba installation instructions. But please note that neither nsswitch
or the pam modules needs to be installed for Squid to function, these are only needed
if you want your OS to integrate with the domain for UNIX accounts.</P>
<P><B>Build/Install Samba-2.2.X</B></P>
<P>Samba must be built with these configure options:
<PRE>
        --with-winbind
        --with-winbind-auth-challenge
</PRE>
</P>
<P>Optionally, if building Samba 2.2.5, apply the
<A HREF="http://www.squid-cache.org/mail-archive/squid-dev/200207/att-0117/01-smbpasswd.diff">smbpasswd.diff</A>
patch.  See 
<A HREF="#WinbindTrustAccounts">SMBD and Machine Trust Accounts</A> below to
determine if the patch is worthwhile.</P>
<P><B>Test Samba's winbindd</B>
<OL>
<LI>Edit smb.conf for winbindd functionality.  The following entries in 
the [global] section of smb.conf may be used as a template.
<PRE>
workgroup = mydomain
password server = myPDC
security = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes 
</PRE>
</LI>
<LI>Join the NT domain as outlined in the winbindd man page for your 
version of samba. </LI>
<LI>Start nmbd (required to insure proper operation).</LI>
<LI>Start winbindd.</LI>
<LI>Test basic winbindd functionality "wbinfo -t":
<PRE>
# wbinfo -t
Secret is good
</PRE>
</LI>
<LI>Test winbindd user authentication:
<PRE>
# wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
error code was NT_STATUS_OK (0x0)
challenge/response password authentication succeeded
error code was NT_STATUS_OK (0x0)
</PRE>

<EM>NOTE</EM>: both plaintext and challenge/response should return
"succeeded." If there is no "challenge/response" status returned then Samba 
was not built with "--with-winbind-auth-challenge" and cannot support ntlm
authentication.</LI>
</OL>
</P>
<P><B>SMBD and Machine Trust Accounts</B>
<A NAME="WinbindTrustAccounts"></A> </P>

<P><B>Samba 3.x</B></P>
<P>The Samba team has incorporated functionality to change the machine 
trust account password in the new "net" command.  A simple daily cron
job scheduling "<CODE>net rpc changetrustpw</CODE>" is all that is needed,
if anything at all.</P>

<P><B>Samba 2.2.x</B></P>
<P>Samba's smbd daemon, while not strictly required by winbindd may be needed
to manage the machine's trust account.</P>
<P>Well behaved domain members change the account password on a regular
basis.  Windows and Samba servers default to changing this password
every seven days.  </P>
<P>The Samba component responsible for managing the trust account password
is smbd. Smbd needs to receive requests to trigger the password change.
If the machine will be used for file and print services, then just
running smbd to serve routine requests should keep everything happy.  </P>
<P>However, in cases where Squid's winbind helpers are the only reason
Samba components are running, smbd may sit idle.  Indeed, there may be
no other reason to run smbd at all. </P>
<P>There are two sample options to change the trust account. Either may be scheduled daily via a cron job to
change the trust password.</P>
<P>
<A HREF="http://www.squid-cache.org/mail-archive/squid-dev/200207/att-0076/02-UglySolution.pl">UglySolution.pl</A>
is a sample perl script to load smbd, connect to
a Samba share using smbclient, and generate enough dummy activity to
trigger smbd's machine trust account password change code.  </P>
<P>
<A HREF="http://www.squid-cache.org/mail-archive/squid-dev/200207/att-0117/01-smbpasswd.diff">smbpasswd.diff</A>
is a patch to Samba 2.2.5's smbpasswd utility to allow
changing the machine account password at will.  It is a minimal patch
simply exposing a command line interface to an existing Samba function.</P>
<P><B>Note: This patch has been included in Samba as of 2.2.6pre2.</B> </P>

<P>Once patched, the smbpasswd syntax to change the password is:
<PRE>
        smbpasswd -t DOMAIN -r PDC
</PRE>
</P>
<P><B>winbind privileged pipe permissions (Samba-3.X)</B></P>

<P>ntlm_auth requires access to the privileged winbind pipe in order
to function properly. You enable this access by changing group
of the winbind_privileged directory to the group you run Squid as
(cache_effective_group setting in squid.conf).</P>
<P>chgrp squid /path/to/winbind_privileged</P>

<H3>Configure Squid</H3>


<P><B>Build/Install Squid</B></P>
<P><B>Samba-3.X</B></P>

<P>As Samba-3.x has it's own authentication helper there is no need to build
any of the Squid authentication helpers for use with Samba-3.x (and the helpers
provided by Squid won't work if you do). You do however need to enable support
for the ntlm scheme if you plan on using this. Also
you may want to use the wbinfo_group helper for group lookups</P>
<P>
<PRE>
        --enable-auth="ntlm,basic"
        --enable-external-acl-helpers="wbinfo_group"
</PRE>
</P>

<P><B>Samba-2.X</B>&lt;</P>

<P>Squid must be built with the configure options:
<PRE>
        --enable-auth="ntlm,basic"
        --enable-basic-auth-helpers="winbind"
        --enable-ntlm-auth-helpers="winbind"
        --enable-external-acl-helpers="wb_group"
</PRE>
</P>
<P><B>Test Squid without auth</B></P>
<P>Before going further, test basic Squid functionality.  Make sure squid 
is functioning without requiring authorization.</P>

<P><B>Test the Samba-3.x helper</B></P>
<P>Testing the winbind ntlm helper is not really possible from the command
line, but the winbind basic authenticator can be tested like any other
basic helper. Make sure to run the test as your cache_effective_user</P>
<P>
<PRE>
        # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
        mydomain+myuser mypasswd                   
        OK
</PRE>

The helper should return "OK" if given a valid username/password.
+ is the domain separator set in your smb.conf</P>

<P><B>Test the Samba-2.2.X helper</B></P>
<P>Testing the winbind ntlm helper is not really possible from the command
line, but the winbind basic authenticator can be tested like any other
basic helper:</P>
<P>
<PRE>
        # /usr/local/squid/libexec/wb_auth -d
        /wb_auth[65180](wb_basic_auth.c:136): basic winbindd auth helper ...
        mydomain\myuser mypasswd                   
        /wb_auth[65180](wb_basic_auth.c:107): Got 'mydomain\myuser mypasswd' from squid (length: 24).
        /wb_auth[65180](wb_basic_auth.c:54): winbindd result: 0
        /wb_auth[65180](wb_basic_auth.c:57): sending 'OK' to squid
        OK
</PRE>

The helper should return "OK" if given a valid username/password.</P>

<P><B>Edit squid.conf</B></P>
<P>
<UL>
<LI>Setup the authenticators. (Samba-3.X)
<P>Add the following to enable both the winbind basic and ntlm 
authenticators. IE will use ntlm and everything else basic:
<PRE>
        auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
        auth_param ntlm children 30
        auth_param ntlm max_challenge_reuses 0
        auth_param ntlm max_challenge_lifetime 2 minutes
        # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
        auth_param ntlm use_ntlm_negotiate on

        auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
        auth_param basic children 5
        auth_param basic realm Squid proxy-caching web server
        auth_param basic credentialsttl 2 hours
</PRE>
</P>

<P>Note: If your Samba was installed as a binary package ntlm_auth is probably installed
as /usr/bin/ntlm_auth, not /usr/local/bin/ntlm_auth. Adjust the paths above accordingly.</P>

</LI>
<LI>Setup the authenticators. (Samba-2.2.X)
<P>Add the following to enable both the winbind basic and ntlm 
authenticators. IE will use ntlm and everything else basic:
<PRE>
        auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth         
        auth_param ntlm children 5
        auth_param ntlm max_challenge_reuses 0
        auth_param ntlm max_challenge_lifetime 2 minutes
        # Samba 2 helpers doesn't support NTLM NEGOTIATE packet
        auth_param ntlm use_ntlm_negotiate off

        auth_param basic program /usr/local/squid/libexec/wb_auth
        auth_param basic children 5
        auth_param basic realm Squid proxy-caching web server
        auth_param basic credentialsttl 2 hours
</PRE>
</P>

<P>Note: For Samba-3.X the Samba ntlm_auth helper is used instead of
the wb_ntlmauth and wb_auth helpers above. This helper supports all
Squid versions and both ntlm and basic schemes via the --helper-protocol=
option. See the Samba documentation for details.</P>
</LI>
<LI>Add acl entries to require authentication:
<PRE>
        acl AuthorizedUsers proxy_auth REQUIRED
        ..
        http_access allow all AuthorizedUsers
</PRE>
</LI>
</UL>
</P>

<P><B>Test Squid with auth</B>
<UL>
<LI>Internet Explorer, Mozilla, FireFox:
<P>Test browsing through squid with a NTLM capable browser. If logged into the domain,
a password prompt should NOT pop up. </P>
<P>Confirm the traffic really is being authorized by tailing access.log.
The domain\username should be present.</P>
</LI>
<LI>Netscape, Mozilla ( &lt; 1.4), Opera...:
<P>Test with a NTLM non-capable browser. A standard password dialog should appear.</P>
<P>Entering the domain should not be required if the user is in the 
default domain and "winbind use default domain = yes" is set in 
smb.conf.  Otherwise, the username must be entered in "domain+username" format.
(where + is the domain separator set in smb.conf)</P>
</LI>
</UL>
</P>
<P>If no usernames appear in access.log and/or no password dialogs appear
in either browser, then the acl/http_access portions of squid.conf are
not correct. </P>
<P>Note that when using NTLM authentication, you will see two 
"TCP_DENIED/407" entries in access.log for every request. This
is due to the challenge-response process of NTLM.</P>
<P><B>References</B></P>
<P>
<A HREF="http://samba.org/samba/docs/man/Samba3-HOWTO/winbind.html">Winbind: Use of Domain Accounts</A></P>
<P>
<A HREF="http://samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html">Domain Membership</A></P>
<P>
<A HREF="http://samba.org/samba/docs/man/manpages-3/winbindd.8.html">winbindd man page</A></P>
<P>
<A HREF="http://samba.org/samba/docs/man/manpages-3/wbinfo.1.html">wbinfo man page</A></P>
<P>
<A HREF="http://samba.org/samba/docs/man/manpages-3/nmbd.8.html">nmbd man page</A></P>
<P>
<A HREF="http://samba.org/samba/docs/man/manpages-3/smbd.8.html">smbd man page</A></P>
<P>
<A HREF="http://samba.org/samba/docs/man/manpages-3/smb.conf.5.html">smb.conf man page</A></P>
<P>
<A HREF="http://samba.org/samba/docs/man/manpages-3/smbclient.1.html">smbclient man page</A></P>
<P>
<A HREF="http://samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html">ntlm_auth man page</A></P>

<H2><A NAME="ss23.6">23.6</A> <A HREF="FAQ.html#toc23.6">Authentication in accelerator mode</A>
</H2>

<P>Authentication is by default disabled in acceleartor mode in Squid-2.X due to
conflicts with transparent interception. To enable this feature,
at the top of acl.c add the following line:</P>
<P>
<HR>
<PRE>
#define AUTH_ON_ACCELERATION 1
</PRE>
<HR>
</P>

<P>Then "make install".</P>

<P>This feature is somewhat hidden because
<UL>
<LI>It hasn't been fully thought over yet. There are issues in caching
when combined with authentication, and more so when there is also
authentication to the backend servers..</LI>
<LI>It easilly collides with transparent proxying, and many people
simply refuses to read warnings that a feature cannot be used in a
transparent proxy and try so anyhow.</LI>
</UL>
</P>

<P>The whole concept of "acceleration" in Squid is currently being reworked
for the Squid-3.0 release to fix this and a number of other issues.</P>



<HR>
<A HREF="FAQ-24.html">Next</A>
<A HREF="FAQ-22.html">Previous</A>
<A HREF="FAQ.html#toc23">Contents</A>
</BODY>
</HTML>