------------------------------------------------------------ revno: 13709 revision-id: squid3@treenet.co.nz-20150102034356-275plkr9fc6p56yp parent: squid3@treenet.co.nz-20150102024326-bmewh45qmtn9g05f author: Francesco Chemolli committer: Amos Jeffries branch nick: 3.5 timestamp: Thu 2015-01-01 19:43:56 -0800 message: basic_smb_lm_auth: Simplified MSNT basic auth helper ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20150102034356-275plkr9fc6p56yp # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: a715edb84002edd31e559d4a866b2002eca0c335 # timestamp: 2015-01-02 03:50:52 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20150102024326-\ # bmewh45qmtn9g05f # # Begin patch === modified file 'CREDITS' --- CREDITS 2014-09-19 17:52:22 +0000 +++ CREDITS 2015-01-02 03:43:56 +0000 @@ -687,29 +687,6 @@ ============================================================================== -helpers/basic_auth/MSNT/: - - * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd - * Released under GPL, see COPYING-2.0 for details. - - * Released under GNU Public License - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - -============================================================================== - helpers/basic_auth/NCSA/basic_ncsa_auth.8: This file is distributed in the hope that it will be useful, @@ -956,6 +933,29 @@ ============================================================================== +helpers/basic_auth/SMB_LM/: + + * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd + * Released under GPL, see COPYING-2.0 for details. + + * Released under GNU Public License + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +============================================================================== + helpers/basic_auth/SSPI/: Guido Serassio, Torino - Italy === modified file 'configure.ac' --- configure.ac 2014-12-29 01:27:04 +0000 +++ configure.ac 2015-01-02 03:43:56 +0000 @@ -3820,7 +3820,6 @@ helpers/basic_auth/fake/Makefile helpers/basic_auth/getpwnam/Makefile helpers/basic_auth/LDAP/Makefile - helpers/basic_auth/MSNT/Makefile helpers/basic_auth/MSNT-multi-domain/Makefile helpers/basic_auth/NCSA/Makefile helpers/basic_auth/NIS/Makefile @@ -3829,6 +3828,7 @@ helpers/basic_auth/RADIUS/Makefile helpers/basic_auth/SASL/Makefile helpers/basic_auth/SMB/Makefile + helpers/basic_auth/SMB_LM/Makefile helpers/basic_auth/SSPI/Makefile helpers/digest_auth/Makefile helpers/digest_auth/eDirectory/Makefile === modified file 'doc/release-notes/release-3.5.sgml' --- doc/release-notes/release-3.5.sgml 2014-12-21 05:11:11 +0000 +++ doc/release-notes/release-3.5.sgml 2015-01-02 03:43:56 +0000 @@ -64,6 +64,7 @@ Helper support for concurrency channels Native FTP Relay Receive PROXY protocol, Versions 1 & 2 + Basic authentication MSNT helper changes Most user-facing changes are reflected in squid.conf (see below). @@ -271,6 +272,23 @@ Use of require-proxy-header on https_port and ftp_port is not supported. +Basic authentication MSNT helper changes + +

The authentication helper previously known as basic_msnt_auth has + been deprecated and renamed to basic_smb_lm_auth to reflect that + it only performs SMB LanMan protocol(s) instead of modern MS authentication + protocols. + +

The basic_smb_lm_auth helper has been remodelled and no longer uses + configuration files. The Doman Controller servers are now configured via + command line parameters and user credentials are looked up in each DC in the + order configured until one matches or all have confirmed a non-match. + +

The MSNT-multi-domain helper provides the same functionality and + is also deprecated. It will be removed in the Squid-3.6 series. + + + Changes to squid.conf since Squid-3.4

There have been changes to Squid's configuration file since Squid-3.4. === removed file 'helpers/basic_auth/MSNT/allowusers.cc' --- helpers/basic_auth/MSNT/allowusers.cc 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/MSNT/allowusers.cc 1970-01-01 00:00:00 +0000 @@ -1,59 +0,0 @@ -/* - * Copyright (C) 1996-2014 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* - * allowusers.c - * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd - * Released under GPL, see COPYING-2.0 for details. - * - * These routines are to allow users attempting to use the proxy which - * have been explicitly allowed by the system administrator. - * The code originated from denyusers.c. - */ - -#include "squid.h" -#include "msntauth.h" -#include "usersfile.h" - -#include -#include -#include -#include -#include - -static usersfile AllowUsers; -static int init = 0; - -/* shared */ -char Allowuserpath[MAXPATHLEN]; /* MAXPATHLEN defined in param.h */ - -int -Read_allowusers(void) -{ - if (!init) { - memset(&AllowUsers, '\0', sizeof(AllowUsers)); - init = 1; - } - if (*Allowuserpath) - return Read_usersfile(Allowuserpath, &AllowUsers); - else - return 0; -} - -int -Check_ifuserallowed(char *ConnectingUser) -{ - return Check_userlist(&AllowUsers, ConnectingUser); -} - -void -Check_forallowchange(void) -{ - Check_forfilechange(&AllowUsers); -} - === removed file 'helpers/basic_auth/MSNT/confload.cc' --- helpers/basic_auth/MSNT/confload.cc 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/MSNT/confload.cc 1970-01-01 00:00:00 +0000 @@ -1,274 +0,0 @@ -/* - * Copyright (C) 1996-2014 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* - * confload.c - * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd - * Released under GPL, see COPYING-2.0 for details. - * - * These routines load the msntauth configuration file. - * It stores the servers to query, sets the denied and - * allowed user files, and provides the - * authenticating function. - */ - -/* Squid provides a number of portability overrides */ -#include "squid.h" - -#include -#include -#include -#include -#include -#include -#include - -#include "msntauth.h" -#include "valid.h" - -/* Path to configuration file */ -#ifndef SYSCONFDIR -#define SYSCONFDIR "/usr/local/squid/etc" -#endif -#define CONFIGFILE SYSCONFDIR "/msntauth.conf" - -/* Maximum number of servers to query. This number can be increased. */ -#define MAXSERVERS 5 -#define NTHOSTLEN 65 - -extern char Denyuserpath[MAXPATHLEN]; /* MAXPATHLEN defined in param.h */ -extern char Allowuserpath[MAXPATHLEN]; - -typedef struct _ServerTuple { - char pdc[NTHOSTLEN]; - char bdc[NTHOSTLEN]; - char domain[NTHOSTLEN]; -} ServerTuple; - -ServerTuple ServerArray[MAXSERVERS]; /* Array of servers to query */ -int Serversqueried = 0; /* Number of servers queried */ - -/* Declarations */ - -static void ProcessLine(char *); -static void AddServer(char *, char *, char *); -static int QueryServerForUser(int, char *, char *); - -/* - * Opens and reads the configuration file. - * Returns 0 on success, or 1 for error. - */ - -int -OpenConfigFile(void) -{ - FILE *ConfigFile; - char Confbuf[2049]; /* Line reading buffer */ - - /* Initialise defaults */ - - Serversqueried = 0; - memset(ServerArray, '\0', sizeof(ServerArray)); - memset(Denyuserpath, '\0', MAXPATHLEN); - memset(Allowuserpath, '\0', MAXPATHLEN); - - /* Open file */ - if ((ConfigFile = fopen(CONFIGFILE, "r")) == NULL) { - syslog(LOG_ERR, "OpenConfigFile: Failed to open %s.", CONFIGFILE); - syslog(LOG_ERR, "%s", strerror(errno)); - return 1; - } - /* Read in, one line at a time */ - while (!feof(ConfigFile)) { - Confbuf[0] = '\0'; - if (NULL == fgets(Confbuf, 2048, ConfigFile)) - break; - Confbuf[2048] = '\0'; - ProcessLine(Confbuf); - } - fclose(ConfigFile); - - /* - * Check that at least one server is being queried. Report error if not. - * Denied and allowed user files are hardcoded, so it's fine if they're - * not set in the confugration file. - */ - if (Serversqueried == 0) { - syslog(LOG_ERR, "OpenConfigFile: No servers set in %s. At least one is needed.", CONFIGFILE); - return 1; - } - return 0; -} - -/* Parses a configuration file line. */ - -static void -ProcessLine(char *Linebuf) -{ - char *Directive; - char *Param1; - char *Param2; - char *Param3; - - /* Ignore empty lines */ - if (strlen(Linebuf) == 0) - return; - - /* Break up on whitespaces */ - if ((Directive = strtok(Linebuf, " \t\n")) == NULL) - return; - - /* Check for a comment line. If found, stop . */ - if (Directive[0] == '#') - return; - - /* Check for server line. Check for 3 parameters. */ - if (strcmp(Directive, "server") == 0) { - Param1 = strtok(NULL, " \t\n"); - if (NULL == Param1) { - syslog(LOG_ERR, "ProcessLine: 'server' missing PDC parameter."); - return; - } - Param2 = strtok(NULL, " \t\n"); - if (NULL == Param2) { - syslog(LOG_ERR, "ProcessLine: 'server' missing BDC parameter."); - return; - } - Param3 = strtok(NULL, " \t\n"); - if (NULL == Param3) { - syslog(LOG_ERR, "ProcessLine: 'server' missing domain parameter."); - return; - } - AddServer(Param1, Param2, Param3); - return; - } - /* Check for denyusers line */ - if (strcmp(Directive, "denyusers") == 0) { - Param1 = strtok(NULL, " \t\n"); - - if (NULL == Param1) { - syslog(LOG_ERR, "ProcessLine: A 'denyusers' line needs a filename parameter."); - return; - } - memset(Denyuserpath, '\0', MAXPATHLEN); - strncpy(Denyuserpath, Param1, MAXPATHLEN - 1); - return; - } - /* Check for allowusers line */ - if (strcmp(Directive, "allowusers") == 0) { - Param1 = strtok(NULL, " \t\n"); - - if (NULL == Param1) { - syslog(LOG_ERR, "ProcessLine: An 'allowusers' line needs a filename parameter."); - return; - } - memset(Allowuserpath, '\0', MAXPATHLEN); - strncpy(Allowuserpath, Param1, MAXPATHLEN - 1); - return; - } - /* Reports error for unknown line */ - syslog(LOG_ERR, "ProcessLine: Ignoring '%s' line.", Directive); -} - -/* - * Adds a server to query to the server array. - * Checks if the server IP is resolvable. - * Checks if the number of servers to query is not exceeded. - * Does not allow parameters longer than NTHOSTLEN. - */ - -void -AddServer(char *ParamPDC, char *ParamBDC, char *ParamDomain) -{ - if (Serversqueried == MAXSERVERS) { - syslog(LOG_ERR, "AddServer: Ignoring '%s' server line; " - "too many servers.", ParamPDC); - return; - } - if (gethostbyname(ParamPDC) == NULL) { - syslog(LOG_ERR, "AddServer: Ignoring host '%s'. " - "Cannot resolve its address.", ParamPDC); - return; - } - if (gethostbyname(ParamBDC) == NULL) { - syslog(LOG_USER | LOG_ERR, "AddServer: Ignoring host '%s'. " - "Cannot resolve its address.", ParamBDC); - return; - } - /* NOTE: ServerArray is zeroed in OpenConfigFile() */ - assert(Serversqueried < MAXSERVERS); - strncpy(ServerArray[Serversqueried].pdc, ParamPDC, NTHOSTLEN - 1); - strncpy(ServerArray[Serversqueried].bdc, ParamBDC, NTHOSTLEN - 1); - strncpy(ServerArray[Serversqueried].domain, ParamDomain, NTHOSTLEN - 1); - ++Serversqueried; -} - -/* - * Cycles through all servers to query. - * Returns 0 if one server could authenticate the user. - * Returns 1 if no server authenticated the user. - */ - -int -QueryServers(char *username, char *password) -{ - int i; - for (i = 0; i < Serversqueried; ++i) { - if (0 == QueryServerForUser(i, username, password)) - return 0; - } - return 1; -} - -/* - * Attempts to authenticate the user with one server. - * Logs syslog messages for different errors. - * Returns 0 on success, non-zero on failure. - */ - -/* Define for systems which don't support it, like Solaris */ -#ifndef LOG_AUTHPRIV -#define LOG_AUTHPRIV LOG_AUTH -#endif - -static int -QueryServerForUser(int x, char *username, char *password) -{ - int result = 1; - - result = Valid_User(username, password, ServerArray[x].pdc, - ServerArray[x].bdc, ServerArray[x].domain); - - switch (result) { /* Write any helpful syslog messages */ - case 0: - break; - case 1: - syslog(LOG_AUTHPRIV | LOG_INFO, "Server error when checking %s.", - username); - break; - case 2: - syslog(LOG_AUTHPRIV | LOG_INFO, "Protocol error when checking %s.", - username); - break; - case 3: - syslog(LOG_AUTHPRIV | LOG_INFO, "Authentication failed for %s.", - username); - break; - } - - return result; -} - -/* Valid_User return codes - - * - * 0 - User authenticated successfully. - * 1 - Server error. - * 2 - Protocol error. - * 3 - Logon error; Incorrect password or username given. - */ - === removed file 'helpers/basic_auth/MSNT/denyusers.cc' --- helpers/basic_auth/MSNT/denyusers.cc 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/MSNT/denyusers.cc 1970-01-01 00:00:00 +0000 @@ -1,127 +0,0 @@ -/* - * Copyright (C) 1996-2014 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* - * denyusers.c - * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd - * Released under GPL, see COPYING-2.0 for details. - * - * These routines are to block users attempting to use the proxy which - * have been explicitly denied by the system administrator. - * Routines at the bottom also use the allowed user functions. - */ - -#include "squid.h" -#include "msntauth.h" -#include "usersfile.h" - -#include -#include -#include -#include -#include -#include - -static usersfile DenyUsers; -static int init = 0; - -/* shared */ -char Denyuserpath[MAXPATHLEN]; /* MAXPATHLEN defined in param.h */ - -int -Read_denyusers(void) -{ - if (!init) { - memset(&DenyUsers, '\0', sizeof(DenyUsers)); - init = 1; - } - if (*Denyuserpath) - return Read_usersfile(Denyuserpath, &DenyUsers); - else - return 0; -} - -static void -Check_fordenychange(void) -{ - Check_forfilechange(&DenyUsers); -} - -/* - * Check to see if the username provided by Squid appears in the denied - * user list. Returns 0 if the user was not found, and 1 if they were. - */ - -static int -Check_ifuserdenied(char *ConnectingUser) -{ - /* If user string is empty, deny */ - if (ConnectingUser[0] == '\0') - return 1; - - /* If denied user list is empty, allow */ - if (DenyUsers.Inuse == 0) - return 0; - - return Check_userlist(&DenyUsers, ConnectingUser); -} - -/* - * Decides if a user is denied or allowed. - * If they have been denied, or not allowed, return 1. - * Else return 0. - */ - -int -Check_user(char *ConnectingUser) -{ - if (Check_ifuserdenied(ConnectingUser) == 1) - return 1; - - if (Check_ifuserallowed(ConnectingUser) == 0) - return 1; - - return 0; -} - -/* - * Checks the denied and allowed user files for change. - * This function is invoked when a SIGHUP signal is received. - * It is also run after every 60 seconds, at the next request. - */ - -void -Check_forchange(int signal) -{ - Check_fordenychange(); - Check_forallowchange(); -} - -/* - * Checks the timer. If longer than 1 minute has passed since the last - * time someone has accessed the proxy, then check for changes in the - * denied user file. If longer than one minute hasn't passed, return. - */ - -void -Checktimer() -{ - static time_t Lasttime; /* The last time the timer was checked */ - static time_t Currenttime; /* The current time */ - - Currenttime = time(NULL); - - /* If timeout has expired, check the denied user file, else return */ - if (difftime(Currenttime, Lasttime) < 60) - return; - else { - Check_forchange(-1); - Lasttime = Currenttime; - } -} - === removed file 'helpers/basic_auth/MSNT/msntauth.conf.default' --- helpers/basic_auth/MSNT/msntauth.conf.default 2014-09-02 01:08:58 +0000 +++ helpers/basic_auth/MSNT/msntauth.conf.default 1970-01-01 00:00:00 +0000 @@ -1,19 +0,0 @@ -## Copyright (C) 1996-2014 The Squid Software Foundation and contributors -## -## Squid software is distributed under GPLv2+ license and includes -## contributions from numerous individuals and organizations. -## Please see the COPYING and CONTRIBUTORS files for details. -## - -# Sample MSNT authenticator configuration file -# Antonino Iannella, Stellar-X Pty Ltd -# Sun Sep 2 15:52:31 CST 2001 - -# NT hosts to use. Best to put their IP addresses in /etc/hosts. -server my_PDC my_BDC my_NTdomain -server other_PDC other_BDC otherdomain - -# Denied and allowed users. Comment these if not needed. -#denyusers /usr/local/squid/etc/msntauth.denyusers -#allowusers /usr/local/squid/etc/msntauth.allowusers - === removed file 'helpers/basic_auth/MSNT/usersfile.cc' --- helpers/basic_auth/MSNT/usersfile.cc 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/MSNT/usersfile.cc 1970-01-01 00:00:00 +0000 @@ -1,206 +0,0 @@ -/* - * Copyright (C) 1996-2014 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* - * usersfile.c - * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd - * Released under GPL, see COPYING-2.0 for details. - * - * These routines are to allow users attempting to use the proxy which - * have been explicitly allowed by the system administrator. - * The code originated from denyusers.c. - */ - -#include "squid.h" -#include "util.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "usersfile.h" - -#define NAMELEN 50 /* Maximum username length */ - -static int -name_cmp(const void *a, const void *b) -{ - const char * const *A = static_cast(a); - const char * const *B = static_cast(b); - return strcasecmp(*A, *B); -} - -static void -free_names(usersfile * uf) -{ - int i; - for (i = 0; i < uf->Inuse; ++i) { - if (uf->names[i]) - free(uf->names[i]); - uf->names[i] = NULL; - } - uf->Inuse = 0; -} - -/* - * Reads a file of usernames and stuffs them into an array - * of strings. - * Returns 0 if the user list was successfully loaded, - * and 1 in case of error. - */ - -int -Read_usersfile(const char *path, usersfile * uf) -{ - FILE *fp; - struct stat FileBuf; - char buf[1024]; - - free_names(uf); - - if (NULL == path) { - path = uf->path; - } else { - if (uf->path) - free(uf->path); - uf->path = xstrdup(path); - } - - /* Open the users file. Report any errors. */ - fp = fopen(path, "r"); - if (NULL == fp) { - uf->LMT = 0; - if (errno == ENOENT) - return 0; - syslog(LOG_ERR, "%s: %s", path, strerror(errno)); - return 1; - } - /* Stat the file. If it does not exist, save the size as zero. - * Clear the allowed user string. Return. */ - if (fstat(fileno(fp), &FileBuf) < 0) { - syslog(LOG_ERR, "%s: %s", path, strerror(errno)); - fclose(fp); - return 1; - } - /* If it exists, save the modification time and size */ - uf->LMT = FileBuf.st_mtime; - - /* Handle the special case of a zero length file */ - if (FileBuf.st_size == 0) { - fclose(fp); - return 0; - } - - /* - * Read the file into memory - * XXX assumes one username per input line - */ - while (fgets(buf, 1024, fp) != NULL) { - /* ensure no names longer than our limit */ - buf[NAMELEN] = '\0'; - /* skip bad input lines */ - if (NULL == strtok(buf, "\r\n")) - continue; - /* grow the list if necessary */ - if (0 == uf->Alloc) { - uf->Alloc = 256; - uf->names = static_cast(calloc(uf->Alloc, sizeof(*uf->names))); - } else if (uf->Inuse == uf->Alloc) { - uf->Alloc = uf->Alloc << 1; - uf->names = static_cast(realloc(uf->names, uf->Alloc * sizeof(*uf->names))); - /* zero out the newly allocated memory */ - memset(&uf->names[uf->Alloc >> 1], - '\0', - (uf->Alloc >> 1) * sizeof(*uf->names)); - } - uf->names[uf->Inuse] = xstrdup(buf); - ++uf->Inuse; - } - fclose(fp); - fp = NULL; - - /* sort the names for searching */ - qsort(uf->names, uf->Inuse, sizeof(*uf->names), name_cmp); - - return 0; -} - -/* - * Check to see if the username provided by Squid appears in the - * user list. Returns 0 if the user was not found, and 1 if they were. - */ - -int -Check_userlist(usersfile * uf, char *User) -{ - void *p; - - /* Empty users are always in the list */ - if (User[0] == '\0') - return 1; - - /* If allowed user list is empty, allow all users. - * If no users are supposed to be using the proxy, stop squid instead. */ - if (0 == uf->Inuse) - return 1; - - /* Check if username string is found in the allowed user list. - * If so, allow. If not, deny. Reconstruct the username - * to have whitespace, to avoid finding wrong string subsets. */ - - p = bsearch(&User, - uf->names, - uf->Inuse, - sizeof(*uf->names), - name_cmp); - if (NULL == p) { - return 0; - } - return 1; -} - -/* - * Checks if there has been a change in a users file. - * If the modification time has changed, then reload the user list. - */ -void -Check_forfilechange(usersfile * uf) -{ - struct stat ChkBuf; /* Stat data buffer */ - - /* Stat the allowed users file. If it cannot be accessed, return. */ - - if (uf->path == NULL) - return; - - if (stat(uf->path, &ChkBuf) < 0) { - if (errno == ENOENT) { - uf->LMT = 0; - free_names(uf); - } else { /* Report error when accessing file */ - syslog(LOG_ERR, "%s: %s", uf->path, strerror(errno)); - } - return; - } - /* return if no change */ - if (ChkBuf.st_mtime == uf->LMT) - return; - - /* - * The file changed, so re-read it. - */ - syslog(LOG_INFO, "Check_forfilechange: Reloading user list '%s'.", uf->path); - Read_usersfile(NULL, uf); -} - === removed file 'helpers/basic_auth/MSNT/usersfile.h' --- helpers/basic_auth/MSNT/usersfile.h 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/MSNT/usersfile.h 1970-01-01 00:00:00 +0000 @@ -1,20 +0,0 @@ -/* - * Copyright (C) 1996-2014 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -typedef struct { - char *path; - char **names; - int Alloc; - int Inuse; - time_t LMT; -} usersfile; - -int Read_usersfile(const char *path, usersfile * uf); -int Check_userlist(usersfile * uf, char *User); -void Check_forfilechange(usersfile * uf); - === modified file 'helpers/basic_auth/Makefile.am' --- helpers/basic_auth/Makefile.am 2014-09-02 01:08:58 +0000 +++ helpers/basic_auth/Makefile.am 2015-01-02 03:43:56 +0000 @@ -11,7 +11,6 @@ fake \ getpwnam \ LDAP \ - MSNT \ MSNT-multi-domain \ NCSA \ NIS \ @@ -20,6 +19,7 @@ RADIUS \ SASL \ SMB \ + SMB_LM \ SSPI SUBDIRS = $(BASIC_AUTH_HELPERS) === renamed directory 'helpers/basic_auth/MSNT' => 'helpers/basic_auth/SMB_LM' === modified file 'helpers/basic_auth/SMB_LM/Makefile.am' --- helpers/basic_auth/MSNT/Makefile.am 2014-09-02 01:08:58 +0000 +++ helpers/basic_auth/SMB_LM/Makefile.am 2015-01-02 03:43:56 +0000 @@ -7,32 +7,19 @@ include $(top_srcdir)/src/Common.am -MSNTAUTH_CONF = $(sysconfdir)/msntauth.conf - -libexec_PROGRAMS = basic_msnt_auth - -basic_msnt_auth_SOURCES = \ - allowusers.cc \ - confload.cc \ - denyusers.cc \ +libexec_PROGRAMS = basic_smb_lm_auth + +basic_smb_lm_auth_SOURCES = \ msntauth.cc \ msntauth.h \ - usersfile.cc \ - usersfile.h \ valid.cc \ valid.h EXTRA_DIST = \ - msntauth.conf.default \ msntauth-v2.0.lsm \ README.html \ required.m4 -sysconf_DATA = \ - msntauth.conf.default - -CFLAGS += -DSYSCONFDIR=\"$(sysconfdir)\" -CXXFLAGS += -DSYSCONFDIR=\"$(sysconfdir)\" LDADD = \ $(top_builddir)/lib/smblib/libsmblib.la \ $(top_builddir)/lib/rfcnb/librfcnb.la \ @@ -42,17 +29,3 @@ ## we need our local files too (but avoid -I. at all costs) AM_CPPFLAGS += -I$(srcdir) -I$(top_srcdir)/lib - - -install-data-local: msntauth.conf.default - @if test -f $(DESTDIR)$(MSNTAUTH_CONF) ; then \ - echo "$@ will not overwrite existing $(DESTDIR)$(MSNTAUTH_CONF)" ; \ - else \ - echo "$(INSTALL_DATA) $(srcdir)/msntauth.conf.default $(DESTDIR)$(MSNTAUTH_CONF)" ; \ - $(INSTALL_DATA) $(srcdir)/msntauth.conf.default $(DESTDIR)$(MSNTAUTH_CONF) ; \ - fi - -uninstall-local: - @$(SHELL) $(top_srcdir)/scripts/remove-cfg.sh "$(RM)" $(DESTDIR)$(MSNTAUTH_CONF) - $(RM) -f $(DESTDIR)$(MSNTAUTH_CONF).default - === modified file 'helpers/basic_auth/SMB_LM/README.html' --- helpers/basic_auth/MSNT/README.html 2004-06-01 06:01:51 +0000 +++ helpers/basic_auth/SMB_LM/README.html 2015-01-02 03:43:56 +0000 @@ -10,10 +10,9 @@ -->

-MSNT Auth v2.0.3-squid.1
+MSNT Auth v3.0.0
Squid web proxy NT authentication module
Modified by the Squid HTTP Proxy team
-Wed Jun 26 21:16:32 CEST 2002
Original release by Antonino Iannella, Stellar-X Pty Ltd

@@ -22,15 +21,10 @@

Introduction

@@ -51,14 +45,15 @@ Msntauth is released under the GNU General Public License.

-Usage is simple. It accepts a username and password on standard input. -It will return OK if the username/password is valid for the domain, -or ERR if there was some problem. -Check syslog messages for reported problems. +basic_msnt_auth follows the standard Squid basic authentication helper protocol. +See http://wiki.squid-cache.org/Features/AddonHelpers#Basic_Scheme for details. +Problems are logged to syslog.

Msntauth works in environments with NT domain controllers on -Windows (TM) NT 4, 2000, and Samba. +Windows (TM) NT 4, 2000, and Samba. It only uses the ancient Lanman protocol, +the authenticating systems must be configured to accept it.

Installation

@@ -68,157 +63,26 @@ Refer to Squid documentation for details. If the build is suitable, you can skip this section. -

-Alternatively, a supplementary makefile is also provided for manual compiling. -Review Makefile.MSNT, and modify it based on the target platform or -site requirements. - -

-Make any necessary changes to the source code. - -

-Copy Makefile.MSNT to Makefile. -Type 'make', then 'make install', then 'make clean'. - -

-To avoid using the makefile, it may compile with - - gcc -O2 -s -o msntauth *.c - -

-'Make install' will put 'msntauth' into -/usr/local/squid/bin. - -

Issues when compiling

- -

-The Makefile uses your C compiler (usually GCC), assuming it's in your PATH. -Msntauth is known to compile properly on Linux, FreeBSD, and Solaris. - -

-When compiling under Solaris, link to the NSL and socket libraries. -In the Makefile, enable the alternative CFLAGS line for Solaris. -Ensure /usr/ccs/bin is in your PATH. -In Smbencrypt.c, '#include ' only gets included when -compiled with Solaris. - -

-For Digital Unix/Tru64, review the INSTALL line in the makefile. -The install-bsd command is used to place files in their target location. - -

Configuration file

- -

-Msntauth uses a configuration file, usually -/usr/local/squid/etc/msntauth.conf. -To change this, edit the following line in confload.c - - -

-  #define CONFIGFILE   "/usr/local/squid/etc/msntauth.conf"
-
- -

-An example configuration file is provided - - -

-# Sample MSNT authenticator configuration file
-# Antonino Iannella, Stellar-X Pty Ltd
-# Tue Aug 26 17:26:59 GMT+9 2003
-
-# NT domain hosts. Best to put the hostnames in /etc/hosts.
-server myPDC           myBDC          myNTdomain
-server otherPDC        otherBDC       otherdomain
-
-# Denied and allowed users. Comment these if not needed.
-denyusers       /usr/local/squid/etc/denyusers
-allowusers      /usr/local/squid/etc/allowusers
-
- -

-All comments start with '#'. - -

-NT servers are used to query user accounts. The 'server' lines -are used for this, with the PDC, BDC, and NT domain as parameters. -Up to 5 servers/domains can be queried. If this is not enough, -modify the MAXSERVERS define in confload.c. -At least one server must be specified, or msntauth will not start. -Server names must be resolvable by the system. If not, msntauth -reports an error. If you can't ping it, you might have a host -resolution problem. - -

-The name you specify is used in the NetBIOS protocol when -communicating with the target server. -The name must be resolvable by the local system, and it must be a -name that the target server uses. -You cannot simply invent a hostname. -You cannot use it IP address. - -

-When a user provides a username/password, each of these -servers will be queried to authenticate the username. -It stops after a user has been successfully authenticated, -so it makes sense to specify the most commonly queried -server first. Make sure the servers can be reached and -are active, or else msntauth will report failures. - -

-The 'denyusers' and 'allowusers' lines give the absolute path -to files of user accounts. They can be used to deny or allow -access to the proxy. Remove these directives if you -do not need these features. - -

Denying users

- -

-Users who are not allowed to access the web proxy can be added to -the denied user list. This list is read around every minute, or when -the msntauth process receives a SIGHUP signal. - -

-The denied user file is set using the 'denyusers' directive -in msntauth.conf. The denied user file -contains a list of usernames, one per line. -If the file does not exist, no users are denied. -The file must be readable by the web proxy user. - -

-Msntauth will send syslog messages if a user was denied, -at LOG_USER facility. Check your syslog messages for clues. - -

Allowing users

- -

-Similar to denying users, you can allow users to access the proxy -by username. This is useful if only a number of people are -allowed to use a proxy. - -

-The allowed user file is set using the 'allowusers' directive -in msntauth.conf. -If the file does not exist or if empty, all users are allowed. - -

-You could make use of the SHOWMBRS tool in Microsoft Technet. -This gives you a list of users which are in a particular -NT Domain Group. This list can be made into the allowed users -file using sed or awk. - -

-Some other rules - - -

    -
  1. The operation of the denied user file is independent of the -allowed user file. The former file is checked first. -
  2. You can use none, one, or both files. -
  3. If a username appears in the denied user file, they will -be denied, even if they are in the allowed user file. -
  4. If a username is not in either file, they will be denied, -because they have not been allowed. -
  5. If the allowed user file is in use and is empty, all -users will be allowed. -
+

Configuration

+ +

+As of version 3.0.0, a configuration file is no longer needed. +The specification of the domains and domain controllers to use is +passed as a list of arguments on the command line. + +The syntax is: +

+basic_msnt_auth domain1/domaincontroller1 [domain2/domaincontroller2 ...]
+
+An arbitrary number of domain controllers can be specified, for any number of daomains. +Domain controllers will be attempted in the same order they are configured, until +any of them successfully authenticates the user passed by squid. If all domain +controllers fail to authenticate the user, then access is denied. +Domain controllers can be specified by their NetBios name. + +

+WARNING! this means that a wrong password will be attempted a number of times. +Watch out for domain lock-out policies!

Squid.conf changes

@@ -240,22 +104,18 @@ The number of children needed is site-dependent, so some experimentation may be required to find the best number. There should be no visible delay in performance with Squid once -msntauth is in use. As an example, a firm with 1500 users and a T1 -internet connection required a value of 30. +msntauth is in use. -
-  proxy_auth_realm enterprise web gateway
-  authenticate_program /usr/local/squid/bin/msntauth
-  authenticate_ttl 5
-  authenticate_children 20
-
+Please see http://www.squid-cache.org/Doc/config/auth_param/ or your squid.conf.default +file to check how to configure squid to make use of this helper.

Testing

I strongly urge that Msntauth is tested prior to being used in a production environment. It may behave differently on different platforms. -To test it, run it from the command line. Enter username and password +To test it, run it from the command line, and enter username and password pairs separated by a space.

@@ -279,72 +139,13 @@ function in msntauth.c. Inform the Squid maintainers of any problems.

-Usernames cannot have whitespace in them, but passwords can. - -

-As of version 2.0.3, the msntauth version can be found in the executable. -Type this to retrieve it - - -

-  strings msntauth | grep -i msntauth
-
+Usernames and passwords are expected to be URL-encoded (see RFC 1738 for details)

Support details

Refer to the Squid website at http://www.squid-cache.org. -Submit problems or fixes using their Bugzilla facility. - -

Unknown username issue

- -

-For an unknown username, Msntauth returns OK. -This is because the PDC returns guest access for unknown users, -even if guest access is disabled. -This problem was reported by Mr Vadim Popov (vap@iilsr.minsk.by). - -

-The tested environment consisted of PDC on Windows NT 4, SP 6. -Squid 2.3 and Msntauth was tested on SuSe, RedHat, and Debian Linux. -A fix was provided in case you have this problem. -Apply the provided patch before compiling, using - -

-  patch smblib.c < smblib.c.patch
-
- -

Revision history

- -

-The following sequence of changes have been made to improve msntauth. - -

    -
  • Added many patches from Duane Wessels to stop compilation errors -
  • Improved the main() function yet again -
  • Created a more informative Makefile -
  • Added an 'allowed users' feature to complement the 'denied users' feature -
  • Stopped the use of alarm() which was causing problems under Solaris -
  • Added more syslog messages for authentication problems -
  • Added the use of a configuration file, instead of hard-coding NT server details -
  • Allowed for querying multiple NT servers and domains (this was a hot issue) -
  • Changed README into an HTML document to improve readability -
  • Removed denied/allowed username substring search limitation -
  • Fixed a bug which occurred when reading denied/allowed usernames -
  • Allows whitespace in passwords -
  • To check user list changes, doesn't use an alarm every minute. -
  • Fixed a sigaction compilation error, causing problems on FreeBSD and HPUX -
  • Removed a problem of finding a valid username as a substring in the denied user list. -
  • Support email address change from antonino@usa.net to antonino@rager.com.au. -
  • Msntauth was successfully tested on Tru64. -
  • PDC and BDC hostnames are now checked if they are resolvable. -
  • Smbencrypt.c does not have to be checked for Solaris systems any more. -
  • Imbedded version information in the executable. -
  • Version 2.0.3 and later now supported by the Squid team. -
- -

-A future improvement may be to cache accepted usernames and passwords, -to reduce network authentication traffic, and improve the Squid response time. +You can submit problems or fixes using the Squid project's Bugzilla database. === modified file 'helpers/basic_auth/SMB_LM/msntauth.cc' --- helpers/basic_auth/MSNT/msntauth.cc 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/SMB_LM/msntauth.cc 2015-01-02 03:43:56 +0000 @@ -43,18 +43,45 @@ #include #include +#include +#include +#include //todo: turn into multimap #include #include "msntauth.h" - -extern char version[]; -char msntauth_version[] = "Msntauth v2.0.3 (C) 2 Sep 2001 Stellar-X Antonino Iannella.\nModified by the Squid HTTP Proxy team 26 Jun 2002"; - -/* Main program for simple authentication. - * Reads the denied user file. Sets alarm timer. - * Scans and checks for Squid input, and attempts to validate the user. - */ - +#include "valid.h" + +static char msntauth_version[] = "Msntauth v3.0.0 (C) 2 Sep 2001 Stellar-X Antonino Iannella.\nModified by the Squid HTTP Proxy team 2002-2014"; + +struct domaincontroller { + std::string domain; + std::string server; +}; +typedef std::vector domaincontrollers_t; +domaincontrollers_t domaincontrollers; + +bool +validate_user(char *username, char *password) +{ + for (domaincontrollers_t::iterator dc = domaincontrollers.begin(); dc != domaincontrollers.end(); ++dc) { + //std::cerr << "testing against " << dc->server << std::endl; + const int rv = Valid_User(username, password, dc->server.c_str(), NULL, dc->domain.c_str()); + //std::cerr << "check result: " << rv << std::endl; + if (rv == NTV_NO_ERROR) + return true; + } + return false; +} + +static char instructions[] = "Usage instructions: basic_nsnt_auth / [/ ...]"; +void +display_usage_instructions() +{ + using std::endl; + std::cerr << msntauth_version << endl << instructions << endl << endl; +} + +// arguments: domain/server_name [domain/server_name ...] int main(int argc, char **argv) { @@ -63,36 +90,31 @@ char wstr[256]; int err = 0; - openlog("msnt_auth", LOG_PID, LOG_USER); + openlog("basic_smb_lm_auth", LOG_PID, LOG_USER); setbuf(stdout, NULL); - /* Read configuration file. Abort wildly if error. */ - if (OpenConfigFile() == 1) - return 1; - - /* - * Read denied and allowed user files. - * If they fails, there is a serious problem. - * Check syslog messages. Deny all users while in this state. - * The msntauth process should then be killed. - */ - if ((Read_denyusers() == 1) || (Read_allowusers() == 1)) { - while (1) { - memset(wstr, '\0', sizeof(wstr)); - if (fgets(wstr, 255, stdin) == NULL) - break; - puts("ERR"); - } - return 1; - } - - /* - * Make Check_forchange() the handle for HUP signals. - * Don't use alarms any more. I don't think it was very - * portable between systems. - * XXX this should be sigaction() - */ - signal(SIGHUP, Check_forchange); + for (int j = 1; j < argc; ++j) { + std::string arg = argv[j]; + size_t pos=arg.find('/'); + if (arg.find('/',pos+1) != std::string::npos) { + std::cerr << "Error: can't understand domain controller specification '" + << arg << "'. Ignoring" << std::endl; + } + domaincontroller dc; + dc.domain = arg.substr(0,pos); + dc.server = arg.substr(pos+1); + if (dc.domain.length() == 0 || dc.server.length() == 0) { + std::cerr << "Error: invalid domain specification in '" << arg << + "'. Ignoring." << std::endl; + exit(1); + } + domaincontrollers.push_back(dc); + } + if (domaincontrollers.empty()) { + display_usage_instructions(); + std::cerr << "Error: no domain controllers specified" << std::endl; + exit(1); + } while (1) { int n; @@ -114,7 +136,6 @@ /* * extract username and password. - * XXX is sscanf() safe? */ username[0] = '\0'; password[0] = '\0'; @@ -128,21 +149,13 @@ puts("ERR"); continue; } - Checktimer(); /* Check if the user lists have changed */ rfc1738_unescape(username); rfc1738_unescape(password); - /* - * Check if user is explicitly denied or allowed. - * If user passes both checks, they can be authenticated. - */ - if (Check_user(username) == 1) { - syslog(LOG_INFO, "'%s' denied", username); - puts("ERR"); - } else if (QueryServers(username, password) == 0) + if (validate_user(username, password)) { puts("OK"); - else { + } else { syslog(LOG_INFO, "'%s' login failed", username); puts("ERR"); } === modified file 'helpers/basic_auth/SMB_LM/msntauth.h' --- helpers/basic_auth/MSNT/msntauth.h 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/SMB_LM/msntauth.h 2015-01-02 03:43:56 +0000 @@ -9,15 +9,7 @@ #ifndef _SQUID_HELPERS_BASIC_AUTH_MSNT_MSNTAUTH_H #define _SQUID_HELPERS_BASIC_AUTH_MSNT_MSNTAUTH_H -extern int OpenConfigFile(void); -extern int QueryServers(char *, char *); -extern void Checktimer(void); -extern "C" void Check_forchange(int); -extern int Read_denyusers(void); -extern int Read_allowusers(void); -extern int Check_user(char *); -extern int QueryServers(char *, char *); -extern int Check_ifuserallowed(char *ConnectingUser); +extern int QueryServers(char *, char *); extern void Check_forallowchange(void); #endif /* _SQUID_HELPERS_BASIC_AUTH_MSNT_MSNTAUTH_H */ === modified file 'helpers/basic_auth/SMB_LM/required.m4' --- helpers/basic_auth/MSNT/required.m4 2014-09-02 01:08:58 +0000 +++ helpers/basic_auth/SMB_LM/required.m4 2015-01-02 03:43:56 +0000 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -BUILD_HELPER="MSNT" +BUILD_HELPER="SMB_LM" # DONT build this helper on Windows AC_CHECK_HEADERS([w32api/windows.h windows.h],[BUILD_HELPER=""]) === modified file 'helpers/basic_auth/SMB_LM/valid.cc' --- helpers/basic_auth/MSNT/valid.cc 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/SMB_LM/valid.cc 2015-01-02 03:43:56 +0000 @@ -19,8 +19,9 @@ #include "smblib/smblib.h" #include "valid.h" +// BACKUP is unused int -Valid_User(char *USERNAME, char *PASSWORD, char *SERVER, char *BACKUP, char *DOMAIN) +Valid_User(char *USERNAME, char *PASSWORD, const char *SERVER, char *BACKUP, const char *DOMAIN) { const char *supportedDialects[] = {"PC NETWORK PROGRAM 1.0", "MICROSOFT NETWORKS 1.03", @@ -36,11 +37,8 @@ SMB_Init(); con = SMB_Connect_Server(NULL, SERVER, DOMAIN); - if (con == NULL) { /* Error ... */ - con = SMB_Connect_Server(NULL, BACKUP, DOMAIN); - if (con == NULL) { - return (NTV_SERVER_ERROR); - } + if (con == NULL) { + return (NTV_SERVER_ERROR); } if (SMB_Negotiate(con, supportedDialects) < 0) { /* An error */ SMB_Discon(con, 0); === modified file 'helpers/basic_auth/SMB_LM/valid.h' --- helpers/basic_auth/MSNT/valid.h 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/SMB_LM/valid.h 2015-01-02 03:43:56 +0000 @@ -15,7 +15,7 @@ #define NTV_PROTOCOL_ERROR 2 #define NTV_LOGON_ERROR 3 -int Valid_User(char *USERNAME, char *PASSWORD, char *SERVER, char *BACKUP, char *DOMAIN); +int Valid_User(char *USERNAME, char *PASSWORD, const char *SERVER, char *BACKUP, const char *DOMAIN); #endif === modified file 'helpers/basic_auth/SSPI/valid.h' --- helpers/basic_auth/SSPI/valid.h 2014-12-20 18:14:00 +0000 +++ helpers/basic_auth/SSPI/valid.h 2015-01-02 03:43:56 +0000 @@ -91,7 +91,5 @@ } #endif /* __GNUC__ */ -int Valid_User(char *,char *, char *); - #endif === modified file 'helpers/basic_auth/modules.m4' --- helpers/basic_auth/modules.m4 2014-09-02 01:08:58 +0000 +++ helpers/basic_auth/modules.m4 2015-01-02 03:43:56 +0000 @@ -47,9 +47,6 @@ elif test "x$helper" = "xMSNT-multi-domain" ; then m4_include([helpers/basic_auth/MSNT-multi-domain/required.m4]) - elif test "x$helper" = "xMSNT" ; then - m4_include([helpers/basic_auth/MSNT/required.m4]) - elif test "x$helper" = "xNCSA" ; then m4_include([helpers/basic_auth/NCSA/required.m4]) @@ -71,6 +68,9 @@ elif test "x$helper" = "xSMB" ; then m4_include([helpers/basic_auth/SMB/required.m4]) + elif test "x$helper" = "xSMB_LM" ; then + m4_include([helpers/basic_auth/SMB_LM/required.m4]) + elif test "x$helper" = "xSSPI" ; then m4_include([helpers/basic_auth/SSPI/required.m4]) === modified file 'lib/smblib/smblib.c' --- lib/smblib/smblib.c 2014-12-20 18:14:00 +0000 +++ lib/smblib/smblib.c 2015-01-02 03:43:56 +0000 @@ -99,7 +99,7 @@ /* or anything else ... */ SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle, - char *server, const char *NTdomain) + const char *server, const char *NTdomain) { SMB_Handle_Type con; === modified file 'lib/smblib/smblib.h' --- lib/smblib/smblib.h 2014-12-20 18:14:00 +0000 +++ lib/smblib/smblib.h 2015-01-02 03:43:56 +0000 @@ -50,7 +50,7 @@ /* Connect to a server, but do not do a tree con etc ... */ SMB_Handle_Type SMB_Connect_Server(SMB_Handle_Type Con_Handle, - char *server, + const char *server, const char *NTdomain); /* Connect to a server and give us back a handle. If Con == NULL, create */