Re: [squid-users] generic kerberos support in 2.6?

From: Cardon Denis <denis.cardon@dont-contact.us>
Date: Tue, 02 Jan 2007 12:55:09 +0100

Hi Henrik and Brian, and happy new year to the squid mailing list !
>> Hrm. Firefox seems to disagree, at least in it's implementation. Squid
>> sends "Negotiate" as the authentication mechanism and Firefox responds
>> with Kerberos.
>>
> The Negotiate HTTP scheme is defined by Internet RFC4559 "SPNEGO-based
> Kerberos and NTLM HTTP Authentication in Microsoft Windows", which
> specifies Kerberos within GSS-API as applied by SPNEGO..
>
> Quote:
> The "Negotiate" auth-scheme calls for the use of SPNEGO GSSAPI tokens
> that the specific mechanism type specifies.
>
> Relevant RFCs:
>
> RFC4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft
> Windows (Negotiate)
>
> RFC4178 The Simple and Protected Generic Security Service Application
> Program Interface (GSS-API) Negotiation Mechanism (SPNEGO)
>
> RFC2743 Generic Security Service Application Program Interface Version
> 2, Update 1. (GSS-API)
>
> Now I am not an expert on how this translates to wire format so I leave
> it to you to read and consider if what your Firefox does is sufficient
> to meet the specifications or not..
>
I have been looking for the same setup as you are (transparent
authentication proxy in a full linux environment, ie linux/firefox +
linux/heimdal kerberos + linux/squid) for some time already, and I asked
the same question a few month ago with the same answer (need of a
helper). So I have read this thread with much interest, and think I may
add a few bits of information here.

You have mentionned in a previous post that your firefox was doing
native KRB5 nego instead of SPNEGO/KRB5. It may go back to the original
implementation that can be found at
http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html
: <quote>Since we don't have any SPNEGO implementation we are using
directly Kerberos implementation of GSS API". </quote> . I don't know if
spnego has been added since then.

The interesting bit is that the same people have developped an apache
authentication module corresponding to the mozilla negotiation
implementation (http://modauthkerb.sourceforge.net/index.html) . Please
correct me if I'm wrong, but a apache auth module and a squid auth
helper should be quite similar, shouldn't it? Current maintainer of the
apache kerberos auth module is Daniel Kouril, who is working/studying in
a Czesk university. He is working on the myproxy project, whose goal is
to ease the authentication/authorization management using certificates,
especially in grid computing environement. I'll drop him an email to see
if he is interested to collaborate with the squid community.

Cheers,

Denis

> Regards
> Henrik
>

-- 
Denis Cardon
Tranquil IT Systems
10 rue du Docteur Bouchard
49400 Saumur
tel : +33 (0) 2.41.67.56.99
fax : +33 (0) 2.40.56.09.81
mob : +33 (0) 6 81 66 27 62
http://www.tranquil-it-systems.fr
Received on Tue Jan 02 2007 - 03:56:38 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:00 MST