RE: [squid-users] Challenge/Response with Cache Peers (NTLM)

From: Henrik Nordstrom <[email protected]>
Date: Sun, 13 Feb 2005 12:59:17 +0100 (CET)

On Sun, 6 Feb 2005, Kinkie wrote:

>> The login=*:password cache_peer option comes in handy for implementing
>> this kind of scheme.
>
> Sure, but it requires a custom authenticator, or at least some kind of
> wrapper, which is certainly doable but not easy (might it be interesting
> to add something of the sort to the default package, maybe?). Also, it
> probably requires extra care when two simultaneous auth-schemes are
> involved.

The login=... cache_peer option only specified basic authentication.

Implementing the custom authenticator wrapper is easy. Here is an shell
example acting as a wrapper around any other basic authenticator to allow
the Squid to be used both by normal clients and other caches.

#!/bin/sh
if [ $# -lt 2 ]; then
    echo "Usage: $0 secretpassword helper ..."
    exit 1
fi

secret="$1"
shift

exec 4>&1

while read user password; do
         if [ "$password" = "$secret" ]; then
                 echo OK >&4
         else
                 echo "$user $password"
         fi
done | "$@"

Designed to be used as

auth_param basic program /path/to/script topsecretpassword normal_helper_with_arguments

numerous other variants are possible.

Note: If the selected secret shared password for squid->squid
communication contains odd characters these must be URL-encoded in the
helper specification.

Regards
Henrik
Received on Sun Feb 13 2005 - 04:59:25 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST