Squid Auth

How can we make squid clients authenticated on the bases of their mac
addresses?
Ajayk

Ajayk wrote:
> How can we make squid clients authenticated on the bases of their mac
> addresses?

Squid has the "arp" ACL type to do that, but it has to be explicitely
compiled in (giving --enable-arp-acl to configure before running make).
If it is there, you can say

acl WellKnownClients arp 00:01:02:03:04:05
http_access allow WellKnownClients
http_access deny all

Or, if you have a larger number of clients, just put their MACs
into a file (e.g. /etc/squid/WellKnownClients) line-by-line and say
acl WellKnownClients arp "/etc/squid/WellKnownClients"

-Chris

Thanks Chris...
And what about, if I need some "username & password" authentication
mechanism?
Say a web page must open first asking for Username and Password before
allowing you to access Internet.
Ajay

Ajayk wrote:
> Thanks Chris...
> And what about, if I need some "username & password" authentication
> mechanism?
> Say a web page must open first asking for Username and Password before
> allowing you to access Internet.
> Ajay

Run an identd client on your workstations and use ident authorization on
the server. So long as you can be sure that your workstations are secure
- for an appropriate value of "secure".

Mark Atherton

Mark Atherton wrote:
> Ajayk wrote:
>
>> Thanks Chris...
>> And what about, if I need some "username & password" authentication
>> mechanism?
>> Say a web page must open first asking for Username and Password before
>> allowing you to access Internet.
>> Ajay
>
> Run an identd client on your workstations and use ident authorization on
> the server. So long as you can be sure that your workstations are secure
> - for an appropriate value of "secure".

Or use one of the authenticator modules available for squid
and use combined ACLs, like

acl WellKnownClients arp "/etc/squid/WellKnownClients"
acl AuthUserAsWell proxy_auth REQUIRED
http_access allow WellKnownClients AuthUserAsWell
http_access deny all

Ident authorization has been considered unsafe for more than 10 years
now, and I wouldn't recommend it to anyone for use in a productive
environment.

-Chris

Christian Winter wrote:
> Mark Atherton wrote:
>> Ajayk wrote:
>>
>>> Thanks Chris...
>>> And what about, if I need some "username & password" authentication
>>> mechanism?
>>> Say a web page must open first asking for Username and Password before
>>> allowing you to access Internet.
>>> Ajay
>>
>> Run an identd client on your workstations and use ident authorization
>> on the server. So long as you can be sure that your workstations are
>> secure - for an appropriate value of "secure".
>
> Or use one of the authenticator modules available for squid
> and use combined ACLs, like
>
> acl WellKnownClients arp "/etc/squid/WellKnownClients"
> acl AuthUserAsWell proxy_auth REQUIRED
> http_access allow WellKnownClients AuthUserAsWell
> http_access deny all
>
> Ident authorization has been considered unsafe for more than 10 years
> now, and I wouldn't recommend it to anyone for use in a productive
> environment.
>
> -Chris

Why is it considered unsafe? Presumably someone can plug a laptop in to
the network and create a user with the appropriate uid. I only use it
at home to provide internet access control for the kids, so I reckon I'm
safe for a while. :-)

Mark Atherton

Mark Atherton wrote:
> Christian Winter wrote:
>>
>> Ident authorization has been considered unsafe for more than 10 years
>> now, and I wouldn't recommend it to anyone for use in a productive
>> environment.
>
> Why is it considered unsafe? Presumably someone can plug a laptop in to
> the network and create a user with the appropriate uid. I only use it
> at home to provide internet access control for the kids, so I reckon I'm
> safe for a while. :-)

That's what I had in mind, there's even a number of ident daemons
that provide any pre-configured user id (popular with IRC users to get
rid of the "~"). And spoofing MAC addresses has already been easy with
the first Etherlink card I had ages ago...

But I should have mentioned also that basic authentication isn't
much safer. Once an attacker gains physical access to the network,
he may just have to wait a little longer to sniff an appropriate
account and password. So to be on the safe side, one should use
digest auth or other encrypted authentication schemes. Everything
else is just security by obscurity and doesn't stop a dedicated
attacker.

-Chris