[SOLVED] Deleted testuser from passwd file but squid still allows connections

qwertyjjj · 08-15-2009, 09:45 AM

I deleted a user from my squid_passwd file.
Restarted my browser and on the next connection, squid requested the password. However, it still allowed me in even though the user name testuser wasn't in the password file?

I tried with a fake user called fakeuser at the browser prompt and that denied me so the ncsa_auth must be working.

Any ideas as to what could be wrong?

On a related note on existingt connections, if the user is removed from the password file, shouldn't squid reauthenticate or does it only do that when the session is lost?

repo · 08-15-2009, 11:26 AM

Did you restart squid ?

qwertyjjj · 08-15-2009, 11:46 AM

Quote:

Originally Posted by repo

Did you restart squid ?

No - would be pointless to restart squid every time you added a user or deleted one as that would affect all the existing users:
According to the squid user group it seems this affects the user cache auth schemes and I probably need to uncomment it in the conf and then restart.

Quote:

# "credentialsttl" timetolive
# Specifies how long squid assumes an externally validated
# username

assword pair is valid for - in other words how often the
# helper program is called for that user. Set this low to force
# revalidation with short lived passwords. Note that setting this high
# does not impact your susceptibility to replay attacks unless you are
# using an one-time password system (such as SecureID). If you are using
# such a system, you will be vulnerable to replay attacks unless you
# also use the max_user_ip ACL in an http_access rule.
# auth_param basic credentialsttl 2 hours

However, I am not sure whether that means the user is asked for the user password every 2 hours or whether it is only since the last request.