Robert/all...
When using NTLM authentication, does the username show up the the access.log
files? That would definitely be nice to see in order to track misuse of the
Internet. We can track now based on IP, but we are opening ourselves up for
trouble because we use DHCP and the IP can change.
Thanks for the help,
Craig
----- Original Message -----
From: "Robert Collins" <robert.collins@itdomain.com.au>
To: "Thomas Goebel" <thomas@an-netz.de>
Cc: <squid-users@ircache.net>
Sent: Tuesday, September 19, 2000 9:32 AM
Subject: Re: [SQU] automatic smb_auth
> Well its not well documented yet... but here's a quick list of things to
do &
> notes about ntlm auth.
> Hey kinkie have I missed anything drastic? I might turn this list into the
> start of our HOW-TO ...
>
>
> 0. background
> -within HTTP there are three common authentication types: BASIC,
> DIGEST, NTLM. Of these only BASIC and DIGEST are official
> http authenticaton protocols. Basic authentication is clear text. digest
> uses a challenge-response format, as does NTLM.
> -Challenge-response helpers in squid cannot be tested from the
command-line
> for two reasons. One: the helper needs the base64 data
> from the client to correctly interpret and verify the authentication
request.
> Two: the authentication requests are stateful, so you need to
> generate the correct response to the 1st result the helper gives you.
> - NTLM and proxies. NTLM was not designed with stateless (ie HTTP)
> environments in mind. MS have got it to work, via a massive hack on the
> protocol. It DOES NOT WORK THROUGH PROXIES. Only the first hop can be NTLM
> authenticatied. This includes MS's IIS based proxy products. NTLM will
also
> not work with transparent proxies (same reason as BASIC authentication
> doesn't_)so please, don't ask.
> 1. key changes to squid
> - the auth_modules directory is largely irrelevant for ntlm based
> environments. The helpers in auth_modules are BASIC helpers only. This
> includes the smb_auth,MSNT and multi-domain-NTLM.
> - there is a new directory ntlm_auth_helpers that contains the NTLM
helper
> source programs.
> - the default ./configure will not enable any authentication code in squid
> (great for ISP's). New configuration directives allow
> basic auth, the basic auth modules to build, ntlm-auth, and the ntlm auth
> modules to build to be handled separately. Compiling in both
> basic and ntlm auth will allow you to 'fall back' to basic authentication
if a
> browser does not support NTLM.
> 2. howto get NTLM authentication working
> - download the source
> - configure with (at a minimum) --enable-ntlm-authentication and
> --enable-ntlm-auth-modules=NTLMSSP
> - check the ntlmssp source code for any hardcoded parameters (it's only
just
> stablised, there may be some 'magic' in the source at the moment). Also
the
> command-line format is documented in the source.
> - you can use fakeauth or no_check if you just want to validate the
username,
> but not check the password/login time limits.
> -compile and install squid
> - edit the squid.conf to specify the ntlm_authentication_helper
command-line
> and at least one proxy_auth acl entry.
> -cross fingers (:-]) and use internet explorer FROM A DOMAIN USER ACCOUNT
to
> surf the web.
>
> Rob
>
>
> Thomas Goebel wrote:
>
> > Hallo,
> >
> > sorry, i installed NTLM. But it does not work.
> > I tried at comandline to authenticate with smp_auth.pl and this also not
> > worked.
> >
> > Please help. Where can i get Information of NTLM.
> >
> > cu
> >
> > Thomas
> >
> > Robert Collins wrote:
> > >
> > > This is exactly what the recently developed NTLM authentication for
squid
> > > does.
> > >
> > > It uses MS challenge handshaking authentication protocol (CHAP) for
the
> > > browser. You need internet explorer 3 or newer to use it.
> > >
> > > Rob
> > >
> > > ----- Original Message -----
> > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > To: <squid-users@ircache.net>; <linuxml@hekkihek.hacom.nl>
> > > Sent: Tuesday, September 19, 2000 11:36 PM
> > > Subject: [SQU] automatic smb_auth
> > >
> > > > Hallo,
> > > >
> > > > is it possible to perform the authentication against the
> > > > proxy automatically, invisible to the Windows user.
> > > > The Microsoft IIS authenticates the user, logged in at the
workstation,
> > > > automatically.
> > > >
> > > > cu
> > > >
> > > > Thomas
> > > >
> > > > --
> > > > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> > > >
> > > >
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Tue Sep 19 2000 - 10:04:10 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:23 MST