Discussion:
[squid-users] parent_proxy kerberos authentication logging
Johnatan
2016-03-08 13:08:25 UTC
Permalink
Hello there,

I have 2 proxy.
On the first, I perform a Kerberos authentication from my users.
On the parent proxy I want to retrieve the login (username) information.
I don't want to perform a real authentication on the parent proxy so I have
already tested the documentation with the dummy authentication but it
doesn't seem to work for kerberos authentication.
Is there a way for the parent proxy to get the username from my child proxy?

Thank you.
Amos Jeffries
2016-03-09 11:41:13 UTC
Permalink
Post by Johnatan
Hello there,
I have 2 proxy.
On the first, I perform a Kerberos authentication from my users.
On the parent proxy I want to retrieve the login (username) information.
I don't want to perform a real authentication on the parent proxy so I have
already tested the documentation with the dummy authentication but it
doesn't seem to work for kerberos authentication.
Is there a way for the parent proxy to get the username from my child proxy?
Lets be clear: Negotiate/Kerberos authenticates the *TCP connection*.
The single one between the client and your first proxy. The
authentication is *invalid* on any other connection the message travels
over.

This is the main way that Negotiate still violates HTTP messaging
requirements.


Now thats out of the way. The username can be passed on to the second
proxy using simpler Basic auth:
cache_peer ... login=*:foo

Where "foo" is a fake password. The receiving proxy will still need to
perform authentication (with basic_fake_auth helper) to get access to
the username info.

Amos
Johnatan
2016-03-18 13:38:06 UTC
Permalink
Thanks for the reply.

I have two acls:
acl FAKE-AUTH proxy_auth required
acl CHILD-PROXY src 192.168.0.1

It's working now but I need to tell my parent proxy to accept the two
directive:
http_access allow FAKE-AUTH
http_access allow CHILD-PROXY

With onle the :
http_access allow FAKE-AUTH
or the directive
http_access allow FAKE-AUTH CHILD-PROXY
It won't work.

Do you know why ?
Post by Johnatan
Post by Johnatan
Hello there,
I have 2 proxy.
On the first, I perform a Kerberos authentication from my users.
On the parent proxy I want to retrieve the login (username) information.
I don't want to perform a real authentication on the parent proxy so I
have
Post by Johnatan
already tested the documentation with the dummy authentication but it
doesn't seem to work for kerberos authentication.
Is there a way for the parent proxy to get the username from my child
proxy?
Lets be clear: Negotiate/Kerberos authenticates the *TCP connection*.
The single one between the client and your first proxy. The
authentication is *invalid* on any other connection the message travels
over.
This is the main way that Negotiate still violates HTTP messaging
requirements.
Now thats out of the way. The username can be passed on to the second
cache_peer ... login=*:foo
Where "foo" is a fake password. The receiving proxy will still need to
perform authentication (with basic_fake_auth helper) to get access to
the username info.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Continue reading on narkive:
Search results for '[squid-users] parent_proxy kerberos authentication logging' (Questions and Answers)
4
replies
____ 3. In FTP, ASCII and binary are the two file transfer ____.?
started 2007-11-30 12:46:38 UTC
programming & design
Loading...