Authentication Programs

In version 2.5.STABLE1 and above, Squid has a wealth of new authentication features and options. Webmin has been expanded to account for the changes, and in the change, authentication configuration received its own section (Figure 12-12).

click to expand
Figure 12-12: Authentication Programs

Squid 2.5 and above supports client authentication of three distinct types: Basic, Digest, and NTLM. Older Squids supported only Basic authentication, which is a simple, unencrypted authentication method documented originally. The two new methods, Digest and NTLM, support both plain-text and encrypted authentication mechanisms. Which method to use depends on your client population. Basic authentication works for all browser clients that fully support proxies. Digest authentication is a standard method of authenticating web clients securely, supported by all browsers that are fully HTTP/1.1 compliant (including modern versions of IE, Netscape, and Mozilla). NTLM is a proprietary mechanism developed by Microsoft and currently only supported by Microsoft client software.

Basic and Digest Authentication Options

Basic authentication is the simplest to use, because it is the most widely accessible and the simplest in implementation. Digest authentication is a secure authentication method documented in RFC 2617, providing encrypted authentication of proxy and web server users. The only configuration detail really required is the location of the authentication program and any command-line arguments to pass to the program, though a couple of additional parameters are available.

Basic authentication program, Digest authentication program

This is the only required option, if you wish to use Basic or Digest authentication with Squid. You may specify one of several authentication programs provided with Squid, like ncsa_auth to authenticate against a standalone htpasswd-style password file, pam_auth to authenticate against the local PAM system, or smb_auth to authenticate against a remote or local SMB server. Another, even simpler choice is to use the built-in Webmin authentication module. It is a simple NCSA-style authenticator that ties into the Webmin Squid user and password management tools without any additional configuration. This option correlates to the auth_param basic program directive or auth_param digest program and is disabled by default.

Number of authentication programs

This option correlates to the auth_param basic children or auth_param digest children directive and defaults to 5. If your Squid supports a very large number of users, you may need to raise this to 10 or 20.

Authentication cache time

This is the amount of time that Squid will cache authentication credentials. Squid normally queries the authentication program periodically and stores the result of the test in its own memory so it doesn’t need to query the external authenticator frequently. This improves performance, but if rapidly changing credentials are required, you may wish to lower this value. This option correlates to the auth_param basic credentialsttl.

Authentication realm

When a client browser receives a basic authentication request, it includes a short string identifying the requester of the data. This information will usually be displayed to the user in the popup box where credentials are entered. This option correlates to the auth_param basic realm or auth_param digest realm directive and has no default.

NTLM authentication options

Like Digest authentication, NTLM authentication provides an encrypted connection to a network server. Beware that it is not an HTTP authentication scheme, however. It is a connection authentication scheme that cannot be proxied (though a proxy can use it to authenticate its own clients). NTLM is also less secure than Digest authentication and has a history of vulnerabilities. That said, it is quite popular, because Windows supports a sort of network “single signon”, in which users only need to log on once to the local network, and they can be automatically authenticated to the proxy server using the same credentials.

NTLM authentication program

As in Basic and Digest authentication above, this will contain a path to the authentication program and any command-line arguments. Often the arguments will specify the domain or workgroup and the server to authenticate against. This option correlates to the auth_param ntlm program directive and is disabled by default.

Number of times an NTLM challenge can be re-used

This option configures the number of times that a particular NTLM challenge can be reused. Increasing this number may reduce latency and load on the server slightly, but can also increase the risk of replay attacks (where a challenge response is recorded and played back to imitate the connection of a legitimate user). This option correlates to the auth_param ntlm max_challenge_reuses directive and defaults to 0.

Lifetime of NTLM challenges

This option corresponds to the auth_param ntlm max_challenge_lifetime directive and defaults to 2 minutes. It is used to specify the length of time that a challenge can be reused. If a challenge is newer than this value and the challenge has been reused fewer than the previous value, a challenge will be reused.



The Book of Webmin... or How I Learned to Stop Worrying and Love UNIX
The Book of Webmin: Or How I Learned to Stop Worrying and Love UNIX
ISBN: 1886411921
EAN: 2147483647
Year: 2006
Pages: 142
Authors: Joe Cooper

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net