Re: Proxy authentication with external programs (BETA version)

From: Arjan de Vet <Arjan.deVet@dont-contact.us>
Date: Thu, 12 Feb 1998 23:00:44 +0100 (CET)

I've cleaned up some code and did some more testing so let's call it beta
now. You can get it at

        http://www.iae.nl/users/devet/squid/proxy_auth/proxy_auth.new

Together with a colleague I'm working on a radius_auth program at the
moment. Stay tuned.

Arjan

Proxy authentication with external programs (BETA)
--------------------------------------------------

Introduction
------------

This is a further generalization of my proxy authentication code for Squid.

The authentication is moved into external 'authenticator' programs which are
allowed to block on e.g. remote lookups. The authenticate.c file is a
reworked version of the redirect.c file.

Usage
-----

Uncomment -DUSE_PROXY_AUTH in src/Makefile before compiling. A good setting
for debug_options is "ALL,1 28,9 33,5 44,5"

New squid.conf settings:

    acl password proxy_auth [timeout]

    authenticator_program /home/squid/bin/authenticate
    authenticator_children 5

Authenticator programs
----------------------

An authenticator program should behave as such:

Input:
        username cleartextpassword

Output:
        OK (in case the password was OK)
        ERR (in case the password was NOT OK)

and this in an endless loop.

[ Maybe we have to need a 'TIMEOUT' return for an appropriate error? ]

Example for testing:

    #!/usr/bin/perl

    open(L, ">>/tmp/authenticate.log") || die "$!";
    select(L); $| = 1;
    select(STDOUT); $| = 1;

    while (<>) {
            print L;
            chop;
            ($user, $passwd) = split;
            if ($user eq "devet" && $passwd eq "test234") {
                    print "OK\n";
            } else {
                    print "ERR\n";
            }
    }
    exit(0);

A correct username/cleartextpassword is cached within Squid until
reconfigure, shutdown (of course :-), a failed proxy-authentication or
the timeout period.

TODO

----
- Check memory leaks.
- Make example authenticator programs like ncsa_auth, radius_auth,
  ldap_auth, pam_auth, etc.
- Integrate this patch into Squid 1.2beta.
- Make the authenticator program return an ACL to use (suggested by Anthony
  Baxter).
Changelog
---------
1998-02-09, 00:30h
	First version announced on squid-users.
1998-02-09, 23:30h
	Did some more testing. Version including support for authenticator
	statistics via cachemgr.cgi
1998-02-12
	Added some comments and cleaned up some code. Fixed a memory leak.
Received on Thu Feb 12 1998 - 14:07:01 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:52 MST