Re: authentication modules

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 13 Oct 2003 15:12:24 +0200 (CEST)

On Mon, 13 Oct 2003, Ilya wrote:

> Firstly, not all browsers (at least not all versions of them)
> support digest authentication.
> Secondly, not all downloaders support digest authentication.
> Thirdly, i am to organize authentication using LDAP server,
> where all users have their accounts. But digest authentication
> needs cleartext passwords.

Sorry, but the proxy can do not better than the clients used for
connecting to the proxy. If your clients does not support secure
authentication methods then there is not much the proxy can do about this.

Integration with LDAP is a problem indeed. Secure authentication shemes
tend to require access to a per-user secret, and there is no standard in
how this is to be done..

Another alternative is to try to convince the browsers to SSL encrypt the
communication to the proxy. Unfortunately I do not know of a single
browser which support SSL encrypted proxy connections. However, if you
manage to convince the browser to do so then all you need is already
available in Squid via the https_port.

A third but not very interesting alternaitve is out-of-band
authentication, for example using an SSL server where the user
authenticates and this authorizes his IP address to access the proxy for
some time..

Regards
Henrik
Received on Mon Oct 13 2003 - 07:12:29 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:44 MST