Re: Squid External Authentication Question

From: Dancer <[email protected]>
Date: Fri, 05 Feb 1999 06:31:08 +1100

Wade B Komisar wrote:
>
> I am implementing squid as an authenticated tunnel through our firewall.
>
> I need to write a squid authentication module that goes against our own
> authentication scheme. I understand how this is done -- I think. The
> authentication program is passed the userid and password and comes back
> with an OK or ERR.
>
> The problem is this. Our authentication scheme not only verifies a
> user's id and password, but also has information such as classification
> (faculty, student) and school. We'd like to filter which web server a
> user has access to based on their classification and school. The
> problem is that my authentication module needs to see which URL the user
> is going after. Can I access the URL, either in a file, or as a
> wildcard in authenticate_options, or as an environment variable?

Since we have different user/password tables for different source IP
ranges, I had to make some mods to the authenticator callup in squid
(preserve and pass the source-ip, and do _not_ cache the authentication
response). Having done it, yes, it's a little bit of a nuisance to pass
extra data to your authenticator, but no great trouble. The hardest part
is figuring out exactly where the data that you want to pass is stored.

Should we make this a FAQ? Here's a quick guide to hacking authenticator
arguments:

The thing to change is the function authenticateStart() in
authenticate.c, specifically, where it says:

snprintf(buf, 8192, "%s %s\n", r->auth_user->user,
r->auth_user->passwd);

The awkward part is that struct acl_proxy_auth_user (passed to that
function) doesn't contain the URL.

So, what I would do in your place is:

1) Modify structs.h and add in a storage pointer for the URL.
2) Modify acl.c in the function aclLookupProxyAuthStart() to copy the
URL from checklist->whatever_it's_called to your new storage member in
auth_user
3) Change the snprintf in authenticateStart() in authenticate.c to read
something like:
snprintf(buf, 8192, "%s %s %s\n", r->url,r->auth_user->user,
r->auth_user->passwd);
..so that the URL is passed as the first parameter to the authenticator.
4) Change aclMatchProxyAuth() in acl.c, specifically from:
auth_user = hash_lookup(proxy_auth_cache, user);
to
auth_user = NULL;

...why? Because the authentication cache only knows about users and if
their passwords were ok. Not about any other data you are passing. To do
a _proper_ job, you should hack the authenticator caching as well, but
in some cases it's probably just best to disable it.

5) Do NOT NOT NOT NOT (absolutely not) forget to discard your storage in
aclFreeProxyAuthUser() in acl.c or you will leak memory to hell-and-gone
with every authentication request.

Happy hacking :)

D
Received on Thu Feb 04 1999 - 12:26:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:26 MST