Hello List, Sorry for the german mail before - I forgot this is an English list I am running Squid 2.4 with ldap_group_auth in a Windows active Directory Network. It works fine, Clients that are in the WWW_Users group can access the proxy, others can't. What we don't like is: Every user has to authenticate himself actively before accessing the proxy with login/password in a small authentication window. Can't Squid use the authentication data that windows provides? because the user is already logged in in the network, and even windoze sends login/password data, or doesn't it? Thanks! Markus -- Mit freundlichen Grüßen Markus Feilner May you always grok in fullness! Beachten Sie bitte unsere neue Email-Adresse! ------------------------------------------------------------------------------------------------- Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Markus Feilner wrote:
Can't Squid use the authentication data that windows provides? because the user is already logged in in the network, and even windoze sends login/password data, or doesn't it?
No, it doesn't. AFAIK windows send an authentication hash, which you can verify against your Domain Controller, but never sends username/ password pairs. The hash is equivalent security-wise. I've seen an auth-module for squid which authenticates against DCs. It came with the source tarball and i've digged up this webpage http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 Peter
Don't confuse M$ networking with tcp/ip ... they're not the same ... Squid supports authentication via helper programs. I'm sure if you look hard enough on the net you can find one that will do SMB (windows) authentication. On Mon, 2003-01-27 at 15:27, Peter Wiersig wrote:
Markus Feilner wrote:
Can't Squid use the authentication data that windows provides? because the user is already logged in in the network, and even windoze sends login/password data, or doesn't it?
No, it doesn't. AFAIK windows send an authentication hash, which you can verify against your Domain Controller, but never sends username/ password pairs. The hash is equivalent security-wise.
I've seen an auth-module for squid which authenticates against DCs. It came with the source tarball and i've digged up this webpage http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
Peter --
( Raymond Leach )
) Knowledge Factory (
( )
) Tel: +27 11 445 8100 (
( Fax: +27 11 445 8101 )
) (
( http://www.knowledgefactory.co.za/ )
) http://www.saptg.co.za/ (
o o o o .--. .--. | o_o| |o_o | | \_:| |:_/ | / / \\ // \ \ ( | |) (| | ) /`\_ _/'\ /'\_ _/`\ \___)=(___/ \___)=(___/
* Raymond Leach wrote on Mon, Jan 27, 2003 at 16:02 +0200:
Squid supports authentication via helper programs. I'm sure if you look hard enough on the net you can find one that will do SMB (windows) authentication.
I don't think that this was the question. He told, the authentication works, but the users needs to reenter the password. Well, and maybe the users enter their windows password in the standard proxy authentication window with basic authentication - which is transmitted in clear text - even worse, now there is no need to attack a DC server but a simple traffic logger can retrieve passwords (you may take a loot at http://sws.dett.de/squid-IP_AUTH.shtml for details ;)). Anyway, I cannot answer the question, but I would recommended not to try so. If a browser can get such important information, browser attacks like XSS and such would become much more efficient (but maybe Windows even supports such insecure doing :)). I would better look how this could be prevented and I suggest not to transfer such sensitive information in clear to the proxy. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Mon, 27 Jan 2003 14:15:55 +0100
Markus Feilner
participants (5)
-
intraRedes -
Markus Feilner -
Peter Wiersig -
Raymond Leach -
Steffen Dettmer