Authentication: Time and Monetary contributions

From: Stefan Adams <stefan@dont-contact.us>
Date: Sat, 31 Mar 2007 12:27:51 -0500

Hello squid developers!

I have been devoting a lot of time to authentication within the proxy.
 However, every solution I provide to my customers is unacceptable.
They simply get prompted too often or something doesn't work at all.

Using NTLM, certain sites, e.g. links to videos on cnn.com, don't work
at all. These videos are loaded by Real Player which apparently has
an issue working passing NTLM credentials. As such, when using NTLM
authentication, these videos are inaccessible. This is unacceptable
to customers.

Using Basic (PAM module), certain situations cause credential
querying. This is extremely evident while using the help function of
Microsoft Office products. The online help is web-based. Each link
loads a new browser window and Office does not remember the
credentials from link to link. As a result, everytime a customer
clicks a link, they are asked once again for credentials. This is
unacceptable to customers.

I think entry 2.3 in the FAQ most clearly sums up the problem:

http://netmirror.org/mirror/squid-www/Doc/FAQ/FAQ-23.html

"Note: This has nothing to do with how often the user needs to
re-authenticate himself. It is the browser who maintains the session,
and re-authentication is a business between the user and his browser,
not the browser and Squid. The browser authenticates on behalf of the
user on every request sent to Squid. What this parameter controls is
only how often Squid will ask the defined helper if the password is
still valid."

That said, there simply MUST be a better way. I have heard of other
schools that provide authentication to the proxy that apparently do
not complain about such "inconveniences". These users use commerical,
proprietary products. I have no idea how they work.

I have 2 ideas that I would like to pursue. I do *some* programming
myself and would be extremely interested to contribute, also I own a
company that is heavily invested in squid technologies and would be
interested in providing financial support as well.

1) I understand that a browser asks a user for authentication because
the proxy server instructs the browser that it needs credentials. My
idea is to provide a server-side caching option within squid that
would only ask the browser for credentials periodically. This would
be similiar to having server-side authentication options turned on and
off frequently. When the cache is expired or empty, authentication
would be turned on and the browser would be asked for credentials.
While there is data in the cache, authentication would be turned off
and the browser would not be asked for credentials.

I know there is a caching mechanism of sorts already in squid which
may already do this, but I am suggesting that this caching mechanism
act on ALL browser instances on that machine. Therefore, if I first
authenticate using Firefox and I then load IE within the cache period
of time, IE would NOT ask me for credentials.

The unfortunate part is that the only piece of information that I can
imagine that could be used as a cache reference would be the IP
address of the machine as this feature's purpose would be application
independent. IP addresses are of course easily spoofed, but perhaps
some counter-tricks could be devised. As a last resort, simply
providing this as a feature and noting its weaknesses would be highly
valuable, I think.

2) I am interesed in the IDENT mechanism for authentication. However,
there are very few good ident applications in existence and worse,
these applications need to be installed on every client PC. Worst, of
course, is the ease of spoofability. I would like to propose a twist
on the ident method. A new feature could be that instead of squid
asking the client machine who that individual is (which is unreliable
at best), squid should ask a server. What server would know who is
using the machine? In the case of a windows PC, a domain controller
(Samba or ADS). Surely a method could be devised that squid could ask
a Samba server who is logged in on a particular IP address. Again, IP
spoofing is a problem, but I would like to refer to the same "oh well"
attitude as above.

These are my two suggestions based on far less experience than yours.
If you have alternate suggestions or advice, I'd be extremely
interested in working with that as well. In any case, I am interested
in contributing both time and/or money, which ever would be preferred,
more efficient, and all-around superior, to enhancing proxy
authentication capabilities within squid.

Thank you for your time. I look forward to hearing from someone.

Sincerely,
Stefan Adams, president
Cogent Innovators, LLC
http://www.cogentinnovators.com
stefan@cogentinnovators.com
636.326.4466
Received on Mon Apr 02 2007 - 03:34:50 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Apr 29 2007 - 12:00:03 MDT