LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-03-2013, 05:54 AM   #1
w00dy101
LQ Newbie
 
Registered: Mar 2013
Location: South Africa
Distribution: Debian
Posts: 12

Rep: Reputation: Disabled
Unhappy Squid 3 Pam Auth issue


Hi Guys

I have recently set up a Squid 3 on Squeeze and am trying to get some basic authentication for it up and running.

I've followed just about every tut on how to do this for Pam auth, but it doesn't seem to be working...

There are no errors or anything that I can see, just that no auth prompt shows up in the browser when testing.

My squid.conf

Code:
auth_param basic program /usr/lib/squid3/basic_pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
My /etc/pam.d/squid

Code:
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
Log : /var/log/squid3/cache.log

Code:
2013/05/03 09:33:16 kid1| Starting Squid Cache version 3.2.0.16 for x86_64-pc-linux-gnu...
2013/05/03 09:33:16 kid1| Process ID 10091
2013/05/03 09:33:16 kid1| Process Roles: worker
2013/05/03 09:33:16 kid1| With 65535 file descriptors available
2013/05/03 09:33:16 kid1| Initializing IP Cache...
2013/05/03 09:33:16 kid1| DNS Socket created at 0.0.0.0, FD 7
2013/05/03 09:33:16 kid1| Adding nameserver 196.41.128.253 from /etc/resolv.conf
2013/05/03 09:33:16 kid1| Adding nameserver 196.41.128.252 from /etc/resolv.conf
2013/05/03 09:33:16 kid1| helperOpenServers: Starting 0/5 'basic_pam_auth' processes
2013/05/03 09:33:16 kid1| helperOpenServers: No 'basic_pam_auth' processes needed.
2013/05/03 09:33:16 kid1| Logfile: opening log daemon:/var/log/squid3/access.log
2013/05/03 09:33:16 kid1| Logfile Daemon: opening log /var/log/squid3/access.log
2013/05/03 09:33:16 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
*Just a note, my system didnt have 'pam_auth' but rather 'basic_pam_auth' could this be the difference?

The permission on 'basic_pam_auth' are...
-rwsr-xr-x 1 root root 14648 Apr 3 2012 basic_pam_auth

So everything "seems ok", but for the life of me, it just plain doesn't work.

Have I missed something at all here?
 
Old 05-03-2013, 09:21 AM   #2
masterxc
LQ Newbie
 
Registered: May 2013
Posts: 6

Rep: Reputation: Disabled
In your Squid ACLs, ensure that there are no rules above it that your connection is being filtered through. It goes top-down, so if you have an ALLOW rule that matches then it'll never reach your authentication ACL.
 
2 members found this post helpful.
Old 05-04-2013, 11:48 AM   #3
silli
LQ Newbie
 
Registered: Apr 2013
Location: Finland
Distribution: Debian, Ubuntu, Centos
Posts: 1

Rep: Reputation: Disabled
The problem is most likely in your ACLs as masterxc told above.

I was able to get Squid3 with PAM authentication working on Debian Squeeze and here's my configuration.

/etc/squid3/squid.conf (there may be some stuff that's not needed but it should work)
Code:
auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl pam proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow pam
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
/etc/pam.d/squid
Code:
auth required pam_unix.so
account required pam_unix.so

Squid also needs to access /etc/shadow.

Code:
# gpasswd -a proxy shadow
 
1 members found this post helpful.
Old 05-10-2013, 07:57 AM   #4
w00dy101
LQ Newbie
 
Registered: Mar 2013
Location: South Africa
Distribution: Debian
Posts: 12

Original Poster
Rep: Reputation: Disabled
Thank you both

Both of you guys were correct in that ACL rules were the problem. It was not in the correct order and I have now rearranged it to be from top down, and bam!, all is well!

Thanks masterxc & silli.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba, PAM and MySql auth Enrikoala Linux - Software 3 10-08-2010 08:29 AM
Issue with squid crashing with NTLM Auth lhiggie Linux - Enterprise 1 05-26-2009 08:52 AM
SQUID and /etc/passwd auth (with group?) pam? columb Linux - Server 1 03-02-2009 04:23 AM
pam settings system-auth sachinh Linux - General 3 03-21-2008 01:07 AM
squid (pam auth) add group ? stomach Linux - Software 3 09-09-2005 11:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration