• Choose a category
• All
• Classic-Fiction

winbind

./configure —enable-basic-auth-helpers=winbind

Winbind is a feature of the Samba suite of software. It allows Unix systems to utilize Windows NT user account information. The winbind authenticator is a client for the Samba winbindd daemon. You must have Samba installed and the winbindd daemon running before you can use this authenticator.

The name of the winbind Basic authenticator is wb_basic_auth. It typically looks like this in squid.conf:

auth_param basic program /usr/local/squid/libexec/wb_basic_auth

The Basic Auth API

The interface between Squid and a Basic authenticator is quite simple. Squid sends usernames and passwords to the authenticator process, separated by a space and terminated by a newline. The authenticator reads the username and password pairs on stdin. After checking the credentials, the authenticator writes either OK or ERR to stdout.

* * *

Tip

Any "URL-unsafe" characters are encoded according to the RFC 1738 rules. Thus, the name "jack+jill" becomes "jack%2bjill". Squid accepts usernames and passwords that contain whitespace characters. For example "a password" becomes "a%20password". The authenticator program should be prepared to handle whitespace and other special characters after decoding the name and password.

* * *

You can easily test a Basic authenticator on the command line. Simply run the authenticator program in a terminal window and enter usernames and passwords. Or, you can do it like this:

% echo "bueller pencil" | ./ncsa_auth /tmp/passwd

OK

Here is a simple template authenticator written in Perl:

#!/usr/bin/perl -wl

use URI::Escape;

$|=1; # don't buffer stdout

while (<>) {

($u,$p) = split;

$u = uri_unescape($u);

$p = uri_unescape($p);

if (&valid($u,$p)) {

print "OK";

} else {

print "ERR";

}

}

sub valid {

my $user = shift;

my $pass = shift;

...

}

* * *

[1] Unless you configure a peer with the login=PASS option.

HTTP Digest Authentication

Digest authentication is designed to be significantly more secure than Basic. It makes extensive use of cryptographic hash functions and other tricks. Essentially, instead of sending a cleartext password, the user-agent sends a "message digest" of the password, username, and other information. (See RFC 2617 and O'Reilly's HTTP: The Definitive Guide for more information.)

HTTP Digest authentication supports the following auth_param parameters:

auth_param digest program command

auth_param digest children number

auth_param digest realm string

auth_param digest nonce_garbage_interval time-specification

auth_param digest nonce_max_duration time-specification

auth_param digest nonce_max_count number

auth_param digest nonce_strictness on|off

The program, children, and realm parameters are the same as for Basic authentication. All of the unique parameters relate to Digest authentication's use of something called nonce.

A nonce is a special string of data, which changes occasionally. During the authentication process, the server (Squid in this case) provides a nonce value to the client. The client uses the nonce value when generating the digest. Without the nonce data, an attacker could simply intercept and replay the digest values to gain access to Squid.

The nonce_garbage_interval parameter tells Squid how often to clean up the nonce cache. The default value is every 5 minutes. A very busy cache with many Digest authentication clients may benefit from more frequent nonce garbage collection.

The nonce_max_duration parameter specifies how long each nonce value remains valid. When a client attempts to use a nonce value older than the specified time, Squid generates a 401 (Unauthorized) response and sends along a fresh nonce value so the client can re-authenticate. The default value is 30 minutes. Note that any captured Authorization headers can be used in a replay attack until the nonce value expires. Setting the nonce_max_duration too low, however, causes Squid to generate 401 responses more often. Each 401 response essentially