diff -Naur squid-2.5.PRE4-20020305/configure.in squid-2.5.PRE4-20020305-new/configure.in --- squid-2.5.PRE4-20020305/configure.in Wed Mar 6 01:13:38 2002 +++ squid-2.5.PRE4-20020305-new/configure.in Wed Mar 6 11:27:50 2002 @@ -2092,6 +2092,7 @@ src/auth/basic/helpers/YP/Makefile \ src/auth/basic/helpers/getpwnam/Makefile \ src/auth/basic/helpers/multi-domain-NTLM/Makefile \ + src/auth/basic/helpers/SASL/Makefile \ src/auth/digest/Makefile \ src/auth/digest/helpers/Makefile \ src/auth/digest/helpers/password/Makefile \ diff -Naur squid-2.5.PRE4-20020305/src/auth/basic/helpers/Makefile.am squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/Makefile.am --- squid-2.5.PRE4-20020305/src/auth/basic/helpers/Makefile.am Fri Aug 31 12:19:14 2001 +++ squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/Makefile.am Wed Mar 6 11:09:03 2002 @@ -3,5 +3,5 @@ # $Id: Makefile.am,v 1.1 2001/08/31 11:19:14 robertc Exp $ # -DIST_SUBDIRS = getpwnam LDAP MSNT multi-domain-NTLM NCSA PAM SMB YP +DIST_SUBDIRS = getpwnam LDAP MSNT multi-domain-NTLM NCSA PAM SMB YP SASL SUBDIRS = @BASIC_AUTH_HELPERS@ diff -Naur squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/Makefile.am squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/Makefile.am --- squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/Makefile.am Thu Jan 1 01:00:00 1970 +++ squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/Makefile.am Wed Mar 6 10:19:22 2002 @@ -0,0 +1,13 @@ +# +# Makefile for the Squid SASL authentication helper +# +# $Id$ +# +# Uncomment and customize the following to suit your needs: +# + +INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ + -I$(top_srcdir)/src/ + +libexec_PROGRAMS = sasl_auth +LDADD = -lsasl $(XTRA_LIBS) diff -Naur squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/README squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/README --- squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/README Thu Jan 1 01:00:00 1970 +++ squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/README Wed Mar 6 11:08:32 2002 @@ -0,0 +1,49 @@ +This program authenticates users using SASL (specifically the +cyrus-sasl authentication method). + +SASL is configurable (somewhat like PAM). Each service authenticating +against SASL identifies itself with an application name. Each +"application" can be configured independently by the SASL administrator. + +For this authenticator, the SASL application name is, by default, + + squid_sasl_auth + +To configure the authentication method used the file "squid_sasl_auth.conf" +can be placed in the appropriate location, usually "/usr/lib/sasl". + +The authentication database is defined by the "pwcheck_method" parameter. +Only the "PLAIN" authentication mechanism is used. + +Examples: + +pwcheck_method:sasldb + use sasldb - the default if no conf file is installed. +pwcheck_method:pam + use PAM +pwcheck_method:passwd + use traditional /etc/passwd +pwcheck_method:shadow + use slightly less traditional /etc/shadow + +Others methods may be supported by your cyrus-sasl implementation - +consult your cyrus-sasl documentation for information. + +Typically the authentication database (/etc/sasldb, /etc/shadow, pam) +can not be accessed by a "normal" user. You should use setuid/setgid +and an appropriate user/group on the executable to allow the +authenticator to access the appropriate password database. If the +access to the database is not permitted then the authenticator +will typically fail with "-1, generic error". + + chown root.mail sasl_auth + chmod ug+s sasl_auth + +If the application name ("squid_sasl_auth") will also be used for the +pam service name if pwcheck_method:pam is chosen. And example pam +configuration file "squid_sasl_auth" is also included. + + +Ian Castle +ian.castle@coldcomfortfarm.net +March 2002 diff -Naur squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/sasl_auth.c squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/sasl_auth.c --- squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/sasl_auth.c Thu Jan 1 01:00:00 1970 +++ squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/sasl_auth.c Wed Mar 6 11:08:06 2002 @@ -0,0 +1,100 @@ +/* + * $Id$ + * + * SASL authenticator module for Squid. + * Copyright (C) 2002 Ian Castle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * Install instructions: + * + * This program authenticates users against using cyrus-sasl + * + * Compile this program with: gcc -Wall -o sasl_auth sasl_auth.c -lsasl + * + */ +#include +#include +#include +#include +#include + +#define APP_NAME_SASL "squid_sasl_auth" + +int +main() +{ + char line[8192]; + char *username, *password; + const char *errstr; + + int rc; + sasl_conn_t *conn = NULL; + + rc = sasl_server_init( NULL, APP_NAME_SASL ); + + if ( rc != SASL_OK ) { + fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL )); + fprintf( stdout, "ERR\n" ); + return 1; + } + + rc = sasl_server_new( APP_NAME_SASL, NULL, NULL, NULL, 0, &conn ); + + if ( rc != SASL_OK ) { + fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL )); + fprintf( stdout, "ERR\n" ); + return 1; + } + + while ( fgets( line, sizeof( line ), stdin )) { + username = &line[0]; + password = strchr( line, '\n' ); + if ( !password) { + fprintf( stderr, "authenticator: Unexpected input '%s'\n", line ); + fprintf( stdout, "ERR\n" ); + continue; + } + *password = '\0'; + password = strchr ( line, ' ' ); + if ( !password) { + fprintf( stderr, "authenticator: Unexpected input '%s'\n", line ); + fprintf( stdout, "ERR\n" ); + continue; + } + *password++ = '\0'; + + rc = sasl_checkpass(conn, username, strlen(username), password, strlen(password), &errstr); + + if ( rc != SASL_OK ) { + if ( errstr ) { + fprintf( stderr, "errstr %s\n", errstr ); + } + if ( rc != SASL_BADAUTH ) { + fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL )); + } + fprintf( stdout, "ERR\n" ); + } + else { + fprintf( stdout, "OK\n" ); + } + + } + + sasl_dispose( &conn ); + sasl_done(); + + return 0; +} diff -Naur squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/squid_sasl_auth squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/squid_sasl_auth --- squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/squid_sasl_auth Thu Jan 1 01:00:00 1970 +++ squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/squid_sasl_auth Wed Mar 6 11:06:21 2002 @@ -0,0 +1,7 @@ +#%PAM-1.0 +# +# Example PAM service configuration file if using the sasl pam password +# backend (pwcheck_method:pam) +# +auth required /lib/security/pam_pwdb.so shadow nullok +account required /lib/security/pam_pwdb.so diff -Naur squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/squid_sasl_auth.conf squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/squid_sasl_auth.conf --- squid-2.5.PRE4-20020305/src/auth/basic/helpers/SASL/squid_sasl_auth.conf Thu Jan 1 01:00:00 1970 +++ squid-2.5.PRE4-20020305-new/src/auth/basic/helpers/SASL/squid_sasl_auth.conf Wed Mar 6 10:48:03 2002 @@ -0,0 +1 @@ +pwcheck_method:sasldb