Squid authentication

Hello Guys,
I am user of Squid2.2 and I have setup it to work with ncsa
authentication schema. Now I would like to change it, I don´t what the
user type a login and password to access the internet, I want to
validate the user through the login that he or she is using on the
Windows and Unix systems. At my Company we have a mixed enviroment
with UNIX-Solaris and PC-W2k systems.
I don´t want the user spend his or her time trying to store another
login/password.
I was trying to setup the acl ident in squid , but I was not
successuful.
Please, can anyone give me any idea to setup it?

Best Regards

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Fabricio Greco <(E-Mail Removed)> suggested:
> Hello Guys,
> I am user of Squid2.2 and I have setup it to work with ncsa
> authentication schema. Now I would like to change it, I don?t what the
> user type a login and password to access the internet, I want to
> validate the user through the login that he or she is using on the
> Windows and Unix systems. At my Company we have a mixed enviroment
> with UNIX-Solaris and PC-W2k systems.
> I don?t want the user spend his or her time trying to store another
> login/password.

Sounds like FAQ, "23.5 How do I use the Winbind authenticators?"

http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFA6zGRAkPEju3Se5QRAqLUAJ0RZWqH97OTZaBXF9CKCI EWGoO9hACgzt5m
gZLivWILKPPqG0tfHmAINgI=
=sizG
-----END PGP SIGNATURE-----

On Tue, 6 Jul 2004 23:11:15 -0000, Michael Heiming <michael+(E-Mail Removed)> wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> NotDashEscaped: You need GnuPG to verify this message
>

Interesting. Perhaps one in ten thousand people on the Usenet have GnuPG
installed and configured and know how to use it.

Why is it so important to you that this miniscule minority be able
to tell whether a post came from you or from someone forging your name?

(A troll could easily forge your PGP sig sufficiently well to fool anyone
without the program installed, after all...)

Doesn't this tiny group of people that you are so concerned about know how
to read news headers?

Surely people don't forge your name often enough for that to become
bothersome? I haven't seen anyone do it in months, and that was just
a stupid troll whose forgeries were quite obvious from their comical
content. No one thought they came from you. Before that, zip.

<snip>

Signed: (a mystified) AC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What is that annoying noise? How did that gnat get in here?
Let me find my flyswatter....


- --
Lew Pitcher

Master Codewright & JOAT-in-training | GPG public key available on request
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA61rdagVFX4UWr64RAoEdAKDX7EsgnyWJvLDmZV2T33 2S0fqk4gCffECq
vgwRObp076hXTi4+phRXUa0=
=pBUw
-----END PGP SIGNATURE-----

On Tue, 06 Jul 2004 22:07:25 -0400, Lew Pitcher <(E-Mail Removed)> wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> What is that annoying noise? How did that gnat get in here?
> Let me find my flyswatter....
>


Another one of the very, very few other people that use PGP sigs on
the Usenet.

You don't need to worry about finding a flyswatter.

You need to worry about where your BRAINS are.

I mean, you apparently think we are impressed by your ability to clutter
up your posts with what is essentially gibberish to 99.99% of people on the
Usenet.

Wow Lew! Can you actually install a computer program?

Why don't you tell all of us peasants how that's done?

------------

Is this really YOU, or is it a troll?

How could anyone tell? 99.99% of us don't have the software.

(because it's stupid. I could install it in about 2 minutes if
there was any point in it)

Any troll could forge your PGP sig well enough to fool us.

So what's the point?

Just wanna be COOL huh? Set yourself apart from those of us who
respect the Usenet enough not to clutter our posts with pointless
crap?

signed: (a still mystified) AC

Alan Connor wrote:
> On Tue, 06 Jul 2004 22:07:25 -0400, Lew Pitcher <(E-Mail Removed)> wrote:
>
>[snip]
>
> Any troll could forge your PGP sig well enough to fool us.
>
> So what's the point?
>
There is lots of point in using PGP (or GNU versions) for all sorts of
reasons. It can be used to sign binding contracts within the EU. It can
be useful for tracing email and for identifying sources. And here on
Usenet... ok, you got me there. Why would anyone want to use it here?

Michael Heiming <michael+(E-Mail Removed)> wrote in message news:<j5orr1-(E-Mail Removed)>...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> NotDashEscaped: You need GnuPG to verify this message
>
> In comp.os.linux.networking Fabricio Greco <(E-Mail Removed)> suggested:
> > Hello Guys,
> > I am user of Squid2.2 and I have setup it to work with ncsa
> > authentication schema. Now I would like to change it, I don?t what the
> > user type a login and password to access the internet, I want to
> > validate the user through the login that he or she is using on the
> > Windows and Unix systems. At my Company we have a mixed enviroment
> > with UNIX-Solaris and PC-W2k systems.
> > I don?t want the user spend his or her time trying to store another
> > login/password.
>
> Sounds like FAQ, "23.5 How do I use the Winbind authenticators?"
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
>
> --
> Michael Heiming (GPG-Key ID: 0xEDD27B94)
> mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQFA6zGRAkPEju3Se5QRAqLUAJ0RZWqH97OTZaBXF9CKCI EWGoO9hACgzt5m
> gZLivWILKPPqG0tfHmAINgI=
> =sizG
> -----END PGP SIGNATURE-----


Michael,
In this case I need an authentication schema. What I want is that
squid discovery the users who is logged in the PC or UNIX and give
permissions to him to access the internet. I am not sure if identd
daemon works fine for windows and unix. So, in this case, it is not
necessary to check passwords.

Regards

["Followup-To:" header set to alt.os.linux.]
* Mark Preston wrote in alt.os.linux:
> Alan Connor wrote:
>> On Tue, 06 Jul 2004 22:07:25 -0400, Lew Pitcher <(E-Mail Removed)> wrote:

>>[snip]

>> Any troll could forge your PGP sig well enough to fool us.

>> So what's the point?

> There is lots of point in using PGP (or GNU versions) for all sorts of
> reasons. It can be used to sign binding contracts within the EU. It can
> be useful for tracing email and for identifying sources. And here on
> Usenet... ok, you got me there. Why would anyone want to use it here?

Please, dont get him started. Add him to your killfile now, you wont be
sorry. If he is too stupid to make slrn hide the PGP stuff as to not
'annoy' him then he desrves to be annoyed.
--
David | AGM Favorites - http://tinyurl.com/loec
Meekness: Uncommon patience in planning a revenge that is worth while.
-- Ambrose Bierce

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.networking Fabricio Greco <(E-Mail Removed)> suggested:
> Michael Heiming <michael+(E-Mail Removed)> wrote in message news:<j5orr1-(E-Mail Removed)>...
>> In comp.os.linux.networking Fabricio Greco <(E-Mail Removed)> suggested:
[..]
>> > I am user of Squid2.2 and I have setup it to work with ncsa
>> > authentication schema. Now I would like to change it, I don?t what the
>> > user type a login and password to access the internet, I want to
>> > validate the user through the login that he or she is using on the
>> > Windows and Unix systems. At my Company we have a mixed enviroment
>> > with UNIX-Solaris and PC-W2k systems.
[..]
>> Sounds like FAQ, "23.5 How do I use the Winbind authenticators?"
>>
>> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
[..]

> In this case I need an authentication schema. What I want is that
> squid discovery the users who is logged in the PC or UNIX and give
> permissions to him to access the internet. I am not sure if identd
> daemon works fine for windows and unix. So, in this case, it is not
> necessary to check passwords.

It shouldn't once the user has authenticated against a PDC or
alike. Unsure what you really want or if you understand the given
URL?

--
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFA7AdQAkPEju3Se5QRAqz0AJ9tEkNOL2qmigvVZPuxny zZawD5ZwCfQofw
fvcT15O8ZlJt9Cq/Th7eXJI=
=SUCU
-----END PGP SIGNATURE-----

On 6 Jul 2004 12:13:58 -0700, Fabricio Greco <(E-Mail Removed)> wrote:
> Hello Guys,
> I am user of Squid2.2 and I have setup it to work with ncsa
> authentication schema. Now I would like to change it, I don´t what the
> user type a login and password to access the internet, I want to
> validate the user through the login that he or she is using on the
> Windows and Unix systems. At my Company we have a mixed enviroment
> with UNIX-Solaris and PC-W2k systems.
> I don´t want the user spend his or her time trying to store another
> login/password.
> I was trying to setup the acl ident in squid , but I was not
> successuful.
> Please, can anyone give me any idea to setup it?

We use a Python script that queries our IMAP server to get its
authentication info. Works great for us.

Here the entries in our squid.conf for authentication:

===

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic program /usr/local/bin/squidauth.py

===

And here's the script we use:

===

#!/usr/bin/env python

from imaplib import IMAP4
import sys


#IMAP server against which we authenticate
server="imap.cs.earlham.edu"
#Port number for IMAP server. Usually 143
port=143


#Below here you shouldn't need to edit anything

while 1:

#Read user and password from stdin, remove the newline, split at the space
#and assign to the user and password variables

line=sys.stdin.readline()[:-1]
[user,password]=line.split(' ')

#Connect to the IMAP server

p=IMAP4(server,port)

#Try to authenticate. If it doesn't work, it throws an exception

try:
p.login(user,password)
except:

#If it threw an exception, log in cache.log the auth booboo
sys.stderr.write("ERR authenticating %s\n"%user)
#Then deny access
sys.stdout.write("ERR\n")
#IMPORTANT!!!!!!!!!!!! Flush stdout
sys.stdout.flush()
continue

#If it didn't throw exceptions, that means it authenticated

#Log success to cache.log
sys.stderr.write("OK authenticated %s\n"%user)
#Then allow access
sys.stdout.write("OK\n")
sys.stdout.flush()

===

You'll just have to change the IMAP server to your own IMAP server, and
you're good to go.

--
-- Skylar Thompson ((E-Mail Removed))
-- http://www.cs.earlham.edu/~skylar/