Markus:
Steffen Dettmer
* Raymond Leach wrote on Mon, Jan 27, 2003 at 16:02 +0200:
Squid supports authentication via helper programs. I'm sure if you look hard enough on the net you can find one that will do SMB (windows) authentication.
I don't think that this was the question. He told, the authentication works, but the users needs to reenter the password. Well, and maybe the users enter their windows password in the standard proxy authentication window with basic authentication - which is transmitted in clear text - even worse, now there is no need to attack a DC server but a simple traffic logger can retrieve passwords (you may take a look at http://sws.dett.de/squid-IP_AUTH.shtml for details ;)).
Anyway, I cannot answer the question, but I would recommended not to try so. If a browser can get such important information, browser attacks like XSS and such would become much more efficient (but maybe Windows even supports such insecure doing :)). I would better look how this could be prevented and I suggest not to transfer such sensitive information in clear to the proxy.
oki,
Steffen
-- __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
On Mon, Jan 27, 2003 at 08:36:12PM -0500, GarUlbricht7@netscape.net wrote:
* Raymond Leach wrote on Mon, Jan 27, 2003 at 16:02 +0200:
Squid supports authentication via helper programs. I'm sure if you look hard enough on the net you can find one that will do SMB (windows) authentication.
I don't think that this was the question. He told, the authentication works, but the users needs to reenter the password. Well, and maybe the users enter their windows password
caution, dirty hack ahead. you could use acl ident <something> either implement and start an identd like service on each of your win boxes :) or: with iptables, redirect all ident requests from your proxy to your win boxes to some listening [e.g. quick'n'dirty-perl] server on the lo-interface of the proxy box. that server would check which client IP corresponds to the ident-request sockets, checks which user is corresponds to that client ip, and whether she should be granted access. it just fakes some ident reply, which you can match in your acl. since afaik ident-queries consist of two port numbers only, and you lost the client ip by the redirection, you have to check for any ip connection that matches the local and remote port. you can do so for example with lsof. no match: something went wrong, or the client closed the connection much faster than expected more than one match: either choose (insecure), or just ignore and let the client try again. exactly one match: that has to be the client, look it up in the who-is-who directory ... I have no idea regarding performance impact or fitness for real life environments, but it seems doable. Lars
* Lars Ellenberg wrote on Tue, Jan 28, 2003 at 04:17 +0100:
On Mon, Jan 27, 2003 at 08:36:12PM -0500, GarUlbricht7@netscape.net wrote: you could use acl ident <something>
either implement and start an identd like service on each of your win boxes :)
If you have an ident style service available, you don't need to wrap it to look really like ident, you can use an authenticate_program that does the job in some way. I think the key point is to make sure that the computer is used by an authenticated person. This is difficult to understand for unix maillinglists. You must remember, that windows is traditionally used by a single person. Usually the situation is, that one and the same person is using one and the same PC and IP address. On windows, people get the impression that they log into a computer. Windows caches the passwords automatically, when you open a new windows share, this works without password. In multi-user environment someone would tell this horrible, yes, it is, in companies sometimes it's problematic, but on a typical windows station it's quite normal. When we are talking about hacks :) What's about using a samba server and make the users automatically to lock some file (when logging in, with a profile). The filelock is done via some share, and windows would login here automatically when accessed (I think :)). A mapped network drive is sufficient also (after checking a win2k entry :)) So you have the user information on a linux system. Here you can use smbstatus to get the usernames that are authenticated somewhere. Well, if you trust this information, you use it for authenticate_program. For performance, you have to cache of course, squid can be configured to do so. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
GarUlbricht7@netscape.net
-
Lars Ellenberg
-
Steffen Dettmer