[squid-users] squid <-> PAM interaction does not work?

From: Michael Gens <[email protected]>
Date: Mon, 02 Dec 2002 08:56:44 +0100

Hello:

I am not able to solve following situation (Squid 2.5Stable1):

After invoking a browser and typing in an URL, a popup window
appears asking for the username and password. I typed in the
informations asked for and got different reactions depending
on activated lines in squid.conf and owner:group specification
on used authentication file (/usr/sbin/pam_auth from OS or
/usr/local/squid/libexec/pam_auth from squid).

In my opinion the pair root:shadow are the best values in
accessing an URL, because there was no error message after typing
in username and password into authentication window.

But then the browser shows:
"Access Denied. Access control configuration prevents your request
from being allowed at this time. ..."

With Squid's pam_auth, the access.log file than has following entry:

...
TCP_DENIED/407 1704 GET http://www..../ - NONE/- text/html
TCP_DENIED/403 1354 GET http://www..../ <user> NONE/- text/html

With OS's pam_auth, the access.log file than has following entry
(reverse order: equally, chance or must it be this way? :

TCP_DENIED/403 1354 GET http://www..../ <user> NONE/- text/html
TCP_DENIED/407 1704 GET http://www..../ - NONE/- text/html

And why in eihter one of the above listed lines is no username to
find?

By the way: with no authentication squid works really well!

My squid.conf entries (essence)

...
redirect_program /usr/sbin/squidGuard
redirect_children 5

auth_param basic program /usr/sbin/pam_auth
#auth_param basic program /usr/local/squid/libexec/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
auth_param basic credentialsttl 1 minute

...
negative_ttl 5 seconds
acl checkpw proxy_auth REQIRED
acl all src <private net>/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow checkpw all
http_access deny all
...

----------------------------------------------------------
Informational only: squidguard.conf

acl {
     default {
         pass all
     }
}
----------------------------------------------------------

If I invoke /usr/local/squid/sbin/squid -N -d 1 -D

I get "Ready to serve requests" and cache informations but neither
error messages nor more informations during uptime of squid.

Is someone able to interprete these informations for getting an
successful access to the internet after authentication?

Thank you very much in advance.

-- 
Rgds.
             _ #          Michael                        # _
Received on Mon Dec 02 2002 - 00:56:39 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:48 MST