Re: [squid-users] Replay Auth

From: FredB <fredbmail_at_free.fr>
Date: Thu, 21 Nov 2013 11:09:51 +0100 (CET)

> I have an idea and TODO list entry for making that happen. But nobody
> has yet sponsored teh few days work that will take and my spare time
> has
> been dedicated towards other more interesting developments.
>

Unfortunately I am not qualified to do, but I think this should be a really useful feature
Also this kind of option can increase the security with squid, actually when the user leave his workspace anybody can surf and worst he can anytime ....

A good security policy:

- The user doesn't save his login/password
- Squid automatically disconnect the user after x hours

Actually we can just say to user you must close your browser, but still two problems, the user forgot, and also some softwares uses the browser ident and still open.
 

> >
> > Another question, how I can force some kind of browsers to use one
> > particular ident method or another ?
> > For example Firefox, IE only with digest
>
> You can't. see RFC 2617 section 1.2:
>
> "The user agent MUST choose to use one of the challenges with the
> strongest auth-scheme it understands and request credentials from the
> user based upon that challenge."
>

Maybe I can just deny the basic identification ? I mean the browser can show the second banner but the user is denied by squid ?
My problem is that I need to enforce the security, because some identifications are stolen.
But with my configuration, it's very unstable, the users changes their identifications for digest or basic (and opposite) for many reasons*, and I can remove basic because there is some incompatible tools like wget

An example: If I restart squid, sometimes I'm automatically reconnect by my browser in Basic mode and after that I never change (except if I close my browser of course)

Thank

Fred
 
  
Received on Thu Nov 21 2013 - 10:10:09 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 21 2013 - 12:00:06 MST