Re: User Authentication

From: Andrew Smith <[email protected]>
Date: Wed, 10 Jun 1998 14:01:42 +1000

Hello Joe,
We do that here. We use and recommend Arjan de Vet's patch

http://www.iae.nl/users/devet/squid/proxy_auth/

and my own 'authenticate' child written in Perl5 (thanks to Arjan for
the useful sample perl) which uses the standard radpwtst binary which
comes with radius. I have included this code below. It utilizes a
'round-robin' DNS entry for the name radius.<snip> and does fall-back.
I would not claim that this is bullet proof or efficient, but it works
for us and should do until Arjan releases his radius client support.
Note the fascist regex to check for valid usernames. If you use this,
you will need to customise this but beware: username '-' must not be
valid, and does exciting things with radpwtst if you let it through. You
should also double check your return codes from the radpwtst pipe.

Andrew.

#!/usr/local/bin/perl

# AES Feb 1998
use FileHandle;

# open(L, ">>/tmp/authenticate.log") || die "$!";
# L->autoflush(1);
STDOUT->autoflush(1);

$radpwtst = '/usr/local/radius/radpwtst';
$rad_serv = 'radius.<snip>';
$udp_port = 1649;

@addr_struct = gethostbyname($rad_serv);
scalar(@addr_struct) > 4 or die "Cannot find radius server $rad_serv in
DNS.";
splice @addr_struct, 0, 4;
@ip_nums = @addr_struct;
$num_ips = scalar(@ip_nums);

$ip_index = 0;
$ip = join '.', unpack('C4', $ip_nums[$ip_index]);

LINE: while (<STDIN>) {
# print L;
     chop;
     if ($_ !~ /^[a-z0-9]{1,8}\s+[^\s]{1,40}$/){
          print "ERR\n";
# print L "ERR\n";
          next LINE;
     }
     ($user, $passwd) = split /\s+/, $_;
     $count = 0;
     do {
            open(RAD, "| $radpwtst -p $udp_port -s $ip -r 4 $user >
/dev/null 2>&1")
                  or die "$!";
            RAD->autoflush(1);
            print RAD "$passwd\n" or die "$!";
            close(RAD);
            $return = ($? >> 8);
            ++$count;
            if ($return != 0 and $return != 254) {
               $ip_index = (++$ip_index) % $num_ips;
               $ip = join '.', unpack('C4', $ip_nums[$ip_index]);
            }
     } until ($count > 4 or $return == 0 or $return == 254);
            if ($return == 0){
                    print "OK\n";
# print L "OK\n";
            } else {
                    print "ERR\n";
# print L "ERR\n";
            }
      }
      exit(0);

Joe Smith wrote:
>
> On Tue, 9 Jun 1998, Henrik [iso-8859-1] Nordstr�m wrote:
>
> > > Is there anyway to do user Authentication other than the passwd file?
> >
> > You can use any passwd file you like. And if a passwd file is not what
> > you want then I think there is a patch for modular authentication that
> > allows most authentication schemes to be plugged in.
>
> I would like to point this thing (SQUID) at a Radius server if posible.

-- 
Dr. Andrew Smith                     Any OPINIONS expressed are
Network Development                  mine and do not necessarily
Prentice Centre                      reflect the views of the
University of Queensland             University of Qld.
Australia, 4072.
email: ccasmith@prentice.uq.edu.au
Received on Tue Jun 09 1998 - 21:02:57 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:41 MST