Squid_ The Definitive Guide - Duane Wessels [110]
The Perl script is named smb_auth.pl. It might look like this in squid.conf:
auth_param basic program /usr/local/squid/libexec/smb_auth.pl
Documentation for multi-domain-NTLM is thin, but if you understand Perl, you should be able to figure it out by reading the code.
PAM
./configure —enable-basic-auth-helpers=PAM
In a sense, Pluggable Authentication Modules (PAM) are the glue between authentication methods (e.g., one-time passwords, kerberos, smart cards) and applications requiring authentication services (e.g., ssh, ftp, imap). Your system's /etc/pam.conf file describes which methods to use for each application.
To use Squid's PAM authentication helper, you need to add "squid" as a service in the /etc/pam.conf file and specify which PAM modules to use. For example, to use the Unix password file on FreeBSD, you might put this in pam.conf:
squid auth required pam_unix.so try_first_pass
* * *
Tip
To check the Unix password database, the pam_auth process must run as root. This is a security risk and you must manually make the executable setuid root. If pam_auth doesn't run as root, and it is configured to check the Unix password database, every request for authentication fails.
* * *
The PAM authenticator is documented with a manual page that you can find in the helpers/basic_auth/PAM directory.
SASL
./configure —enable-basic-auth-helpers=SASL
The Simple Authentication and Security Layer (SASL) is an IETF proposed standard, documented in RFC 2222. It is a protocol for negotiating security parameters for connection-based protocols (e.g., FTP, SMTP, HTTP). However, the SASL authenticator is similar to the PAM authenticator. It interfaces with a third-party library to query a number of different authentication databases.
Specifically, Squid's SASL authenticator requires the Cyrus SASL library developed by Carnegie Mellon University. You can find it at http://asg.web.cmu.edu/sasl/.
You can configure the SASL authenticator to check the traditional password file, the PAM system, or any of the other databases supported by CMU's library. For further information, see the README file in the helpers/basic_auth/SASL directory.
SMB
./configure —enable-basic-auth-helpers=SMB
SMB is another authenticator for Microsoft Windows databases. The authenticator itself is a C program. That program executes a shell script each time it talks to the Windows domain controller. The shell script contains commands from the Samba package. Thus, you'll need to install Samba before using the SMB authenticator.
The SMB authenticator program, smb_auth takes the Windows domain name as an argument. For example:
auth_param basic program /usr/local/squid/libexec/smb_auth -W MYNTDOMAIN
You can list multiple domains by repeating the -W option. For full documentation, see http://www.hacom.nl/~richard/software/smb_auth.html.
YP
./configure —enable-basic-auth-helpers=YP
The YP authenticator checks a system's "Yellow Pages" (a.k.a. NIS) directory. To use it with Squid, you need to provide the NIS domain name and the name of the password database, usually passwd.byname on the authenticator command line:
auth_param basic program /usr/local/squid/libexec/yp_auth my.nis.domain passwd.byname
The yp_auth program is relatively simple, but doesn't have any documentation.
getpwnam
./configure —enable-basic-auth-helpers=getpwnam
This authenticator is simply an interface to the getpwnam( ) function found in the C library on Unix systems. The getpwnam( ) function looks in the system password file for a given username. If you use YP/NIS, getpwnam( ) checks those databases as well. On some operating systems, it may also utilize the PAM system. You can use this authenticator if your cache users have login accounts on the system where Squid is running. Alternatively, you could set up "nologin" accounts