LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-26-2008, 07:23 AM   #1
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 365

Rep: Reputation: 30
Squid and pam_auth


I have been looking to get pam_auth going with squid.

All the Howtos I've looked at indicate that the pam_auth helper is located at /usr/lib/squid/pam_auth.

However, the file does not exist.

I have compiled Squid3_STABLE1 from source and /opt/squid/helpers/basic_auth/PAM/pam_auth.c does exist.

If I look at /etc/pam.conf, it says the following:
~~~~~~~~~~~~~~ snip ~~~~~~~~~~~~~~~~~~~
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
~~~~~~~~~~~~~~ snip ~~~~~~~~~~~~~~~~~~~

Obviously the pam_auth module has been replaced.

There is a file in /etc/pam.d/common-auth which contains the following
~~~~~~~~~~~~~~ snip ~~~~~~~~~~~~~~~~~~~
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_unix.so nullok_secure
~~~~~~~~~~~~~~ snip ~~~~~~~~~~~~~~~~~~~

But I'm not sure how to implement it with the /etc/suid/squid.conf.
 
Old 02-27-2008, 05:46 PM   #2
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 56
/usr/lib/squid/pam_auth does exist on my fc8 box
 
Old 02-27-2008, 11:50 PM   #3
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 365

Original Poster
Rep: Reputation: 30
It turns out I had to compile Squid with the following.

./configure --prefix=/usr/local/squid --enable-linux-netfilter --enable-auth="ntlm,basic" --enable-auth-modules="PAM,NCSA"

What I want is for users to access the 'net without having to change the browser configuration (ie 'transparently').

But I need to be able to track user's usage, so I need them to login to authenticate themselves so that they can be identified by name rather than their IP (which will vary on DHCP).

Googling I see that this is not possible; that Transparent proxying precludes authentication. Beats me why.
 
Old 02-27-2008, 11:54 PM   #4
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 365

Original Poster
Rep: Reputation: 30
Would it be possible to replace the
"/usr/local/squid/share/errors/English/ERR_ACCESS_DENIED" page with a
custom one providing for usernames and passwords.

A Perl script might then be able to generate a file accessible to the "acl
AuthorisedUser src /var/log/squid/iplistfile" directive.

Is this feasible?

Has anyone done something similar?

Or is there an easier solution?
 
Old 02-28-2008, 04:33 AM   #5
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 56
All of the information shows up in the /var/log/squid/access.log and/or /var/log/dansguardian/access.log
If you have authentiacation enabled, the user name and pc address might look like this in the squid access.log
Code:
1203889364.488      0 192.168.0.1 TCP_HIT/200 21287 GET http://linuxquestions.cachefly.net/images/questions/images/LinuxQuestions.png fred NONE/- image/png
or like this in the dansguardian access.log
Code:
2008.2.28 5:17:31 fred 192.168.0.1 http://www.someplace.com/styles/styles1.css  GET 1721
From there, you can use a perl script like one found at dansguardian site to dump the access log into an html file which is much for readable.


.
 
Old 02-28-2008, 04:41 AM   #6
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 365

Original Poster
Rep: Reputation: 30
Yes,

The log looks like the first example you give, which is obviously not sufficient for my purpose.

The second example is really what I'm after, but my information is that user authentication is not compatible with the transparent proxy behaviour. ie, because the browser is unaware of the existence of the proxy, it will not respond to a request for a username and password from it.
 
Old 02-28-2008, 04:59 AM   #7
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 56
Quote:
but my information is that user authentication is not compatible with the transparent proxy behaviour
Correct.
You still get the ip address when not using authentication. But, it's a general pain to get user info when using transparent.
 
Old 02-29-2008, 04:11 AM   #8
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 365

Original Poster
Rep: Reputation: 30
The point is that my users access multiple networks with multiple network ranges.

I cannot have them reconfiguring their browsers when the access through my server.
 
Old 02-29-2008, 04:25 AM   #9
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 365

Original Poster
Rep: Reputation: 30
I can't believe that there is not a work-around for this...

For example, if I can set up a file containing an ip address on each line /etc/squid/iplist.

And then I set up the squid.conf to have the following line:

acl authorisedip src "/etc/squid/iplist"

I can change the ERR_ACCESS_DENIED file to contain a form which calls a perl program (catchip.pl) passing it a username and password which, if correct, appends the user's ip to the /etc/squid/iplist file. (removing the IP when the user closes his browser would be trickier).

The problem is that any links in the ERR_ACCESS_DENIED file are appended to the original URL. So, if the user has requested the URL www.toyota.co.za, the form in the ERR file will try to call http://www.toyota.co.za/cgi-bin/catchip.cgi instead of the local cgi-bin/catchip.cgi.

I can't believe that this avenue has not been fully explored....
 
Old 02-29-2008, 05:39 AM   #10
cov
Member
 
Registered: Apr 2005
Location: Durban
Posts: 365

Original Poster
Rep: Reputation: 30
Well, in answer to a couple of my questions, the answer is to set up your links as http://localhost/cgi-bin/catchip.pl.

However, the whole scheme seems to fall down because Squid appears to cache the iplist file. So it needs to be restarted in order to re-read that file. Which totally subverts it's usefulness.

Any other suggestions would be most welcome. I can't believe that I'm the only one who wants this kind of functionality?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SQUID for blocking yahoo and msn [inc squid.conf] chrisfirestar Linux - Security 10 03-03-2008 08:33 AM
Squid: special configuration for remote Squid server hamish Linux - Software 0 12-06-2005 03:58 PM
squid message customization, hiding squid versioin rajnishmishra Linux - Networking 0 11-27-2004 03:55 AM
squid conf: squid failed when I type insert redirect_program /usr/bin/squidguard Niceman2005 Linux - Software 1 11-24-2004 02:29 PM
Squid load testing software / Squid optimisation? gundelgauk Linux - Networking 2 08-31-2004 07:36 PM


All times are GMT -5. The time now is 11:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration