Steve:
We have setup an "outside-in" proxy using Apache in proxy mode with
mod_securid as the auth method. The SecurID username and auth tokens are
sent in the clear but since each token is only good for 60 seconds and can
only be used once, "sniffing" one does a hacker no good. Once
authenticated, we pass the requests to Squid.
This works great. The URL for mod_securid is:
http://persoweb.francenet.fr/~pasty/mod_securid/
-----Original Message-----
From: HUNT_STEVE [mailto:HUNT_STEVE@smc.edu]
Sent: Wednesday, February 28, 2001 1:01 PM
To: squid-users@ircache.net
Subject: [SQU] Proxy Authentication Issues
Hi all,
I am testing Squid for use in authentication of our off-campus users. I
have it set up with the msntauth program, and it seems to work well.
====lines from my squid.conf======
acl ourusers proxy_auth REQUIRED
http_access allow ourusers
authenticate_program /usr/local/squid/bin/msntauth
====lines from my squid.conf======
I have some concerns about authentication with proxy servers. I know that
proxy_auth is using HTTP Basic Authentication. Basic Authentication encodes
but does not encrypt the username and password. The username and password
are sent with every page accessed through the proxy server. This is a
well-known security problem, someone with a network sniffer could grab lots
of username and passwords.
Alternatives to Basic Authentication include SSL-encrypted Basic
Authentication, NTLM (NTCR) authentication, and Digest authentication. Each
of these has problems also.
NTLM and Digest are only supported by the IE browser. In addition, NTLM
requires that the PC OS be Win NT or that the Client for MS Networks be
installed on Win95/98. And NTLM can't be used if another (non-squid) proxy
server is in between.
The problem with SSL is that all traffic through the proxy server is
encrypted/decrypted, causing performance degradation. If my users are doing
retrieving lots of info from the web databases they are searching what kind
of throughput will I see?
I was trying to think of other ways to have a persistent connection to a
proxy server (to login) There is talk of a ProxyCookie standard, but
apparently nothing is happening in this area. No browsers support it.
Proxy Cookie info
http://portal.research.bell-labs.com/~dmk/pcookies/
What do others do when they need users to authenticate to the proxy server?
Stay with insecure Basic Auth?
Live with the performance penalty SSL imposes (how bad is it?)
Require users to have IE?
Any ideas?
Steve Hunt
hunt_steve@smc.edu
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.html -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Wed Feb 28 2001 - 11:28:23 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:16 MST