Re: PATCH: Proxy Authentication patches

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 06 May 1999 21:10:27 +0200

Dancer wrote:
 
> AUTH_WITH_IP:
> Pass three arguments to the authenticator instead of two. The first is
> now the source-ip address of the client (second and third are the
> username and password as usual). Squid's authentication caching is
> disabled if this is selected.

Please make that as an additional third argument. No fun having
different autentication modules for different builds of Squid..

> USERDATA_FROM_AUTHENTICATOR:
> The authenticator is expected to return 'OK __data__' or 'ERR __data__'
> as an authentication response. If no extra data is returned, the
> username is left unmodified, otherwise whatever is returned as __data__
> is used as the username for logging purposes, and is passed to the
> redirector in the ident field. I can't say for certain if this one works
> well by itself, since I've only tested it in conjunction with
> AUTH_WITH_IP, and the modified code structure may introduce some issues
> with the internal authentication cache.

Not sure I like this to much. I agree that it may be useful, but far
more useful in a general perspective is to have the authenticator return
a message to the user telling them why the password was not OK. Also,
extending the protocol with a additional return code "DENY" might be a
good idea, to allow the authenticator to return access denial message to
the client without asking for authentication.

Changing the logged username might be useful in conjunction with this,
but I would prefer to see it done with some kind of magic key, like
USER:<whitespace terminated string>.

/Henrik
Received on Tue Jul 29 2003 - 13:15:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:07 MST