RE: [squid-users] authentical_ttl authentical_ip_ttl credentialsttl What is what?

From: Jenny Lee <bodycare_5_at_live.com>
Date: Sun, 25 Jul 2010 10:45:56 +0000

Hello Amos,
 
Thank you for the reply.
 
> Jenny Lee wrote:
>> Hello Folks,
>>
>> Basic authentication. Same user must use different usernames from the
>> same IP in quick succession for role determination purposes.
>>
>
> This breaks the model and purpose of authentication. You apparently are
> trying to use diffrent credentials for authentication and for
> authorization and do do both simultaneously.
>
> The regular way to do this is to assign a group indicating role to the
> credentials. This gets tested to authorize particular actions separately
> by the authenticating software based on the credentials.
>
> Why can't you do it that way?
 

Why should username authentication must be bound for IP address of the user.
 
Assume that you have 3 people in an office all going out from the corporate firewall. You have no control how they go out or for that matter you have no control over anything except tehir user/pass. They all do basic username authentication from the same IP. All 3 connects at the same time. One authenticates. Why should the rest be accepted whether their password is valid or not?
 
More importantly, why should the first one's username show up everywhere in ACLs while the rest are browsing with their usernames?
 

 
>> This works fine, user can specify a new username and login with that.
>> When I left these values at defaults, user would specify a new
>> user/pass, but squid was still using his old user in its operations.
>>
>> The problem is: squid acceps the old password of the new username.
>> For example, if I type user1/pass1, browse, close browser. Open, type
>> user2/pass1, access is still granted. What is controlling this?
>>
>
> Quite simple:
> * Squid keeps a list (cache) of credentials previously seen. Along
> with the time they were last checked.
> * when new ones come in they are looked for in the cache.
> * If they are found and credentialsttl has not passed, the new ones
> are accepted without testing.
> * If credentialsttl has passed, they are tested with the backend again.
 

Well, exactly. So in that scenario, wouldn't NCSA helper return an error when the client is using a different password?
 
If I leave authenticate_cache_garbage_interval at default value (authenticate_ttl 2 sec, credentialsttl 1 sec), old username shows up in logs and in ACLs.
 
When I keep: authenticate_cache_garbage_interval 1 second
 
The client is not accepted with the old password. He is forced to enter correct password. So far so good. However, the old username shows up in logs and ACLs!!!!
 
So I really could not figure out what to do.
 
Here is what I want to do:
 
Connect to my cache from my computer with basic authentication. Enter user1/pass1. Close-open browser. Enter user2/pass2. I want in both instances the correct user/pass pair be checked and correct user logged and used in ACLs. What would the proper values of these variables should be or which ones must be left at default?
 
And what does 0 seconds do for these?
 
On a side note, is there a counter ACLs like acl random? For example, say CONNECT method is matched, value of counter acl is incremented. This way I can stop a user from doing more than say 50 connects a day.
 
Thank you for the detailed information. Your knowledge is immense. Unfortunately, being totally my fault, I am more confused than when I started.
 
J
_________________________________________________________________
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
Received on Sun Jul 25 2010 - 10:46:03 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 25 2010 - 12:00:04 MDT