-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2/09/2014 10:02 p.m., James Harper wrote:
> I mentioned at the tail of another email, I'd like to see a better
> out-of-band authentication protocol than ident. Such a protocol
> would have:
>
> . a single connection from squid over which all identification
> requests travel. Not one connection per request as with ident. .
> two way authentication (psk or certificate) . encryption (tls) .
> full connection description (src ip, src port, dst ip, dst port) so
> that interception proxy works (ident only exchanges port numbers) .
> optional reverse connection (client connects to squid rather than
> squid connecting to client - only useful for a single proxy server
> but means no firewall exceptions on the client) . probably still
> use port 113 (not that it really matters...)
>
> Does such a thing exist already?
The "external" ACL type runs a (or several) helper programs on
persistent connections which perform arbitrary out-of-band operations
and return to Squid the authorization approval to allow/deny the
transaction.
There is Negotiate authentication. The security tokens are setup
out-of-band and used securely in-band.
I also have a patch implementing OAuth 2.0 Bearer authentication for
Squid. Although it needs some polishing and clients supporting
proxy-auth Bearer seem to be a rarity still. Sponsorship welcome to
get those final steps completed.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUBb55AAoJELJo5wb/XPRjQjUIAL9JK6YCo/2q7a0fQAgLL5qi
ZyKiSaTAaBj5vr2AQQTrrUs2KLrKvt0rEr+EIPXja2ZFArlDkCYbIGCkNC7VuSuI
Ftwa6LJaTq5vuMWn3ih4s00pERKjviSUesxlDJzQZwjNqJtiP69uxbo8EBsGTLVQ
Qs83D8RwNmAi6XyM6U7M6hMYRUZksD9t4WLAfmD5Q+ivDnw5ehIlig6XOPHYnBHM
ObpNaGZ6ZPliK65+FO4fAP+zW6meLPo/Zv2lMOvpjFvVdTb1vH48zqOVr57EAy4a
WlIm8oiAu09VLFNA0Lmry/hs8+qk0fsNNEDx2fFHfFnHULzXFab2FwpSvmfsS3U=
=6RCw
-----END PGP SIGNATURE-----
Received on Tue Sep 02 2014 - 12:56:38 MDT
This archive was generated by hypermail 2.2.0 : Tue Sep 02 2014 - 12:00:04 MDT