[SOLVED] Squid 3 Pam Auth issue

w00dy101 · 05-03-2013, 05:54 AM

Hi Guys

I have recently set up a Squid 3 on Squeeze and am trying to get some basic authentication for it up and running.

I've followed just about every tut on how to do this for Pam auth, but it doesn't seem to be working...

There are no errors or anything that I can see, just that no auth prompt shows up in the browser when testing.

My squid.conf

Code:

auth_param basic program /usr/lib/squid3/basic_pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

My /etc/pam.d/squid

Code:

auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so

Log : /var/log/squid3/cache.log

Code:

2013/05/03 09:33:16 kid1| Starting Squid Cache version 3.2.0.16 for x86_64-pc-linux-gnu...
2013/05/03 09:33:16 kid1| Process ID 10091
2013/05/03 09:33:16 kid1| Process Roles: worker
2013/05/03 09:33:16 kid1| With 65535 file descriptors available
2013/05/03 09:33:16 kid1| Initializing IP Cache...
2013/05/03 09:33:16 kid1| DNS Socket created at 0.0.0.0, FD 7
2013/05/03 09:33:16 kid1| Adding nameserver 196.41.128.253 from /etc/resolv.conf
2013/05/03 09:33:16 kid1| Adding nameserver 196.41.128.252 from /etc/resolv.conf
2013/05/03 09:33:16 kid1| helperOpenServers: Starting 0/5 'basic_pam_auth' processes
2013/05/03 09:33:16 kid1| helperOpenServers: No 'basic_pam_auth' processes needed.
2013/05/03 09:33:16 kid1| Logfile: opening log daemon:/var/log/squid3/access.log
2013/05/03 09:33:16 kid1| Logfile Daemon: opening log /var/log/squid3/access.log
2013/05/03 09:33:16 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec

*Just a note, my system didnt have 'pam_auth' but rather 'basic_pam_auth' could this be the difference?

The permission on 'basic_pam_auth' are...
-rwsr-xr-x 1 root root 14648 Apr 3 2012 basic_pam_auth

So everything "seems ok", but for the life of me, it just plain doesn't work.

Have I missed something at all here?

masterxc · 05-03-2013, 09:21 AM

In your Squid ACLs, ensure that there are no rules above it that your connection is being filtered through. It goes top-down, so if you have an ALLOW rule that matches then it'll never reach your authentication ACL.

silli · 05-04-2013, 11:48 AM

The problem is most likely in your ACLs as masterxc told above.

I was able to get Squid3 with PAM authentication working on Debian Squeeze and here's my configuration.

/etc/squid3/squid.conf (there may be some stuff that's not needed but it should work)

Code:

auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl pam proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow pam
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

/etc/pam.d/squid

Code:

auth required pam_unix.so
account required pam_unix.so

Squid also needs to access /etc/shadow.

Code:

# gpasswd -a proxy shadow

w00dy101 · 05-10-2013, 07:57 AM

Thank you both

Both of you guys were correct in that ACL rules were the problem. It was not in the correct order and I have now rearranged it to be from top down, and bam!, all is well!

Thanks masterxc & silli.