Squid and pam_auth

cov · 02-26-2008, 07:23 AM

I have been looking to get pam_auth going with squid.

All the Howtos I've looked at indicate that the pam_auth helper is located at /usr/lib/squid/pam_auth.

However, the file does not exist.

I have compiled Squid3_STABLE1 from source and /opt/squid/helpers/basic_auth/PAM/pam_auth.c does exist.

If I look at /etc/pam.conf, it says the following:
~~~~~~~~~~~~~~ snip ~~~~~~~~~~~~~~~~~~~
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
~~~~~~~~~~~~~~ snip ~~~~~~~~~~~~~~~~~~~

Obviously the pam_auth module has been replaced.

There is a file in /etc/pam.d/common-auth which contains the following
~~~~~~~~~~~~~~ snip ~~~~~~~~~~~~~~~~~~~
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_unix.so nullok_secure
~~~~~~~~~~~~~~ snip ~~~~~~~~~~~~~~~~~~~

But I'm not sure how to implement it with the /etc/suid/squid.conf.

homey · 02-27-2008, 05:46 PM

/usr/lib/squid/pam_auth does exist on my fc8 box

cov · 02-27-2008, 11:50 PM

It turns out I had to compile Squid with the following.

./configure --prefix=/usr/local/squid --enable-linux-netfilter --enable-auth="ntlm,basic" --enable-auth-modules="PAM,NCSA"

What I want is for users to access the 'net without having to change the browser configuration (ie 'transparently').

But I need to be able to track user's usage, so I need them to login to authenticate themselves so that they can be identified by name rather than their IP (which will vary on DHCP).

Googling I see that this is not possible; that Transparent proxying precludes authentication. Beats me why.

cov · 02-27-2008, 11:54 PM

Would it be possible to replace the
"/usr/local/squid/share/errors/English/ERR_ACCESS_DENIED" page with a
custom one providing for usernames and passwords.

A Perl script might then be able to generate a file accessible to the "acl
AuthorisedUser src /var/log/squid/iplistfile" directive.

Is this feasible?

Has anyone done something similar?

Or is there an easier solution?

homey · 02-28-2008, 04:33 AM

All of the information shows up in the /var/log/squid/access.log and/or /var/log/dansguardian/access.log
If you have authentiacation enabled, the user name and pc address might look like this in the squid access.log

Code:

1203889364.488      0 192.168.0.1 TCP_HIT/200 21287 GET http://linuxquestions.cachefly.net/images/questions/images/LinuxQuestions.png fred NONE/- image/png

or like this in the dansguardian access.log

Code:

2008.2.28 5:17:31 fred 192.168.0.1 http://www.someplace.com/styles/styles1.css  GET 1721

From there, you can use a perl script like one found at dansguardian site to dump the access log into an html file which is much for readable.

.

cov · 02-28-2008, 04:41 AM

Yes,

The log looks like the first example you give, which is obviously not sufficient for my purpose.

The second example is really what I'm after, but my information is that user authentication is not compatible with the transparent proxy behaviour. ie, because the browser is unaware of the existence of the proxy, it will not respond to a request for a username and password from it.

homey · 02-28-2008, 04:59 AM

Quote:

but my information is that user authentication is not compatible with the transparent proxy behaviour

Correct.
You still get the ip address when not using authentication. But, it's a general pain to get user info when using transparent.

cov · 02-29-2008, 04:11 AM

The point is that my users access multiple networks with multiple network ranges.

I cannot have them reconfiguring their browsers when the access through my server.

cov · 02-29-2008, 04:25 AM

I can't believe that there is not a work-around for this...

For example, if I can set up a file containing an ip address on each line /etc/squid/iplist.

And then I set up the squid.conf to have the following line:

acl authorisedip src "/etc/squid/iplist"

I can change the ERR_ACCESS_DENIED file to contain a form which calls a perl program (catchip.pl) passing it a username and password which, if correct, appends the user's ip to the /etc/squid/iplist file. (removing the IP when the user closes his browser would be trickier).

The problem is that any links in the ERR_ACCESS_DENIED file are appended to the original URL. So, if the user has requested the URL www.toyota.co.za, the form in the ERR file will try to call http://www.toyota.co.za/cgi-bin/catchip.cgi instead of the local cgi-bin/catchip.cgi.

I can't believe that this avenue has not been fully explored....

cov · 02-29-2008, 05:39 AM

Well, in answer to a couple of my questions, the answer is to set up your links as http://localhost/cgi-bin/catchip.pl.

However, the whole scheme seems to fall down because Squid appears to cache the iplist file. So it needs to be restarted in order to re-read that file. Which totally subverts it's usefulness.

Any other suggestions would be most welcome. I can't believe that I'm the only one who wants this kind of functionality?