SSO with AD, Kerberos and squid ???

Dr. Greg Wettstein greg at wind.enjellic.com
Fri May 2 10:07:35 EDT 2003


On Apr 30,  3:53pm, Turbo Fredriksson wrote:
} Subject: Re: SSO with AD, Kerberos and squid ???

> > Try this:
> > 
> > http://www.bayour.com/kerberos/squid-ldap_auth.tgz
> 
> That's only LDAP, not Kerberos. Besides, I got a 'angry' mail from the
> author Alan Sparks about this module. He don't want anyone to use it, 
> because it's ancient code.
> 
> But that's the only LDAP module _I_ could get working with Squid, so
> I'm going to ignore his mail, and keep recommending it :)

We attacked the problem of restricting WEB access to 'private' HTTP
resources by using Squid in authenticated proxy mode as well.  We had
an additional constraint as well since we needed to verify the
Hurderos service authorization identity.

We used an external authenticator program to implement our
authentication and authorization.  It was a while ago but the option
to look for in the squid configuration file is the
authenticate_program tag.

In our case this was actually a shell script wrapper which went around
our authentication and authorization binary.  At that time Squid
called the value of authenticate_program and fed the user identifier
and password in on separate lines of standard input.  We used the
wrapper to pick up those values and to set the service authorization
identity to be used with our authenticator binary.

Squid reads standard output from the authenticator wrapper and looks
for keywords to determine whether or not the authentication succeeded.
The wrapper checks the return status of the auth/authz binary and urps
out the appropriate response.  I'm including the script below in case
anyone finds it useful.

As Turbo notes none of this is 'pure' Kerberos authentication.  As
with other WEB based authentication systems protection of the
communications channel, ie. SSL, needs to be considered.  I am looking
forward to some spare cycles at the lake this weekend to look at the
links to work being done to implement Kerberos service ticket based
authentications.  This work, IMHO, will be central to providing open
security standards for the WEB.

The authenticated proxy technique as it stands though has worked very
well for us in a number of situations and deployments.  IMHO it is
actually one of the really useful but overlooked tools/methodologies
from the perspective of providing authentication and authorizaton for
WEB based delivery systems.

Here is the script.  Please feel free to use it with the explicit
guarantee of no angry emails.... :-)

Have a nice weekend everyone.

Greg

---------------------------------------------------------------------------
#! /bin/bash

# Simple wrapper script to convert the calling syntax for the Squid
# external authenticator to the correct format for hurdauth.
#
# This utility simply sits in a continuous loop reading an external
# identifier (IID) and a password from its input.  The code assumes
# that anything after the first component of the input line is the
# password.  This utility should thus, theoretically, support passwords
# with spaces in them.
#
#

# The service name to authorize for.
service="PROXY_WEB";

while read input;
do
        set $input;

        iid=$1;
        shift;
        pwd="$*";
        echo "$pwd" | /usr/local/squid/bin/hurdauth -A -s $service -e $iid;
        if [ $? -eq 0 ]; then
                echo "OK";
        else
                echo "ERR";
        fi;
done;

exit;
---------------------------------------------------------------------------


}-- End of excerpt from Turbo Fredriksson

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-4950            WWW: http://www.enjellic.com
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Courage is not the absence of fear, but rather the judgement that
something else is more important than fear."
                                -- Ambrose Redmoon


More information about the Kerberos mailing list