Squid as Kerberos client?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid as Kerberos client?

Patrick Nick
Hello list, 

We are in the process of Kerberizing our Big Data operation, but we have a GUI tool in use that is not capable of Kerberos authentication. I'm looking for a way to keep using it, which means that it needs to read data from a Kerberos-protected service.

To be clear, I'm looking for a proxy that will take care of the authentication so that our GUI tool does not need to know. It should "enrich" the client's "dumb" request to an authenticated request. This lowers security of course, but I will use other means to make sure that only that app can talk to the proxy on the network.

I looked into nginx but didn't find a way to do what I want.

Can squid do this?
I've been trying some configs according to https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but it seems that it always wants to pass the "negotiate" request to the client, which I'm trying to avoid.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Enrico Heine
Hi,

Easy going, you can allow traffic from a specific source or traffic to a specific destination before you require authentication on the proxy. You can also restrict it to both, src and destination and additionaly specific ports. But squid cannot authenticate those requests on the destination server if it needs authentication as well.

Best regards,
Enrico

Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick <[hidden email]>:
Hello list, 

We are in the process of Kerberizing our Big Data operation, but we have a GUI tool in use that is not capable of Kerberos authentication. I'm looking for a way to keep using it, which means that it needs to read data from a Kerberos-protected service.

To be clear, I'm looking for a proxy that will take care of the authentication so that our GUI tool does not need to know. It should "enrich" the client's "dumb" request to an authenticated request. This lowers security of course, but I will use other means to make sure that only that app can talk to the proxy on the network.

I looked into nginx but didn't find a way to do what I want.

Can squid do this?
I've been trying some configs according to https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but it seems that it always wants to pass the "negotiate" request to the client, which I'm trying to avoid.

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Patrick Nick
Hi Enrico, 

You write
But squid cannot authenticate those requests on the destination server if it needs authentication as well.

So how do I make it NOT need authentication?
I want it to authenticate the request on behalf of the client, so that my client app does not need to authenticate.
Squid can use the keytab that I give it for that.
 

On Wed, Mar 14, 2018 at 7:22 PM, Enrico Heine <[hidden email]> wrote:
Hi,

Easy going, you can allow traffic from a specific source or traffic to a specific destination before you require authentication on the proxy. You can also restrict it to both, src and destination and additionaly specific ports. But squid cannot authenticate those requests on the destination server if it needs authentication as well.

Best regards,
Enrico


Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick <[hidden email]>:
Hello list, 

We are in the process of Kerberizing our Big Data operation, but we have a GUI tool in use that is not capable of Kerberos authentication. I'm looking for a way to keep using it, which means that it needs to read data from a Kerberos-protected service.

To be clear, I'm looking for a proxy that will take care of the authentication so that our GUI tool does not need to know. It should "enrich" the client's "dumb" request to an authenticated request. This lowers security of course, but I will use other means to make sure that only that app can talk to the proxy on the network.

I looked into nginx but didn't find a way to do what I want.

Can squid do this?
I've been trying some configs according to https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but it seems that it always wants to pass the "negotiate" request to the client, which I'm trying to avoid.

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Enrico Heine
Which protocols and ports is that GUI tool using for what it's doing with it's remote endpoint that requires kerberos authentication?

Am 14. März 2018 19:27:48 MEZ schrieb Patrick Nick <[hidden email]>:
Hi Enrico, 

You write
But squid cannot authenticate those requests on the destination server if it needs authentication as well.

So how do I make it NOT need authentication?
I want it to authenticate the request on behalf of the client, so that my client app does not need to authenticate.
Squid can use the keytab that I give it for that.
 

On Wed, Mar 14, 2018 at 7:22 PM, Enrico Heine <[hidden email]> wrote:
Hi,

Easy going, you can allow traffic from a specific source or traffic to a specific destination before you require authentication on the proxy. You can also restrict it to both, src and destination and additionaly specific ports. But squid cannot authenticate those requests on the destination server if it needs authentication as well.

Best regards,
Enrico


Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick <[hidden email]>:
Hello list, 

We are in the process of Kerberizing our Big Data operation, but we have a GUI tool in use that is not capable of Kerberos authentication. I'm looking for a way to keep using it, which means that it needs to read data from a Kerberos-protected service.

To be clear, I'm looking for a proxy that will take care of the authentication so that our GUI tool does not need to know. It should "enrich" the client's "dumb" request to an authenticated request. This lowers security of course, but I will use other means to make sure that only that app can talk to the proxy on the network.

I looked into nginx but didn't find a way to do what I want.

Can squid do this?
I've been trying some configs according to https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but it seems that it always wants to pass the "negotiate" request to the client, which I'm trying to avoid.

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.


--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Patrick Nick
It consumes the data for its graphs from a REST API via HTTP, on ports in the 8000-9000 range.

On Wed, Mar 14, 2018 at 8:43 PM, Enrico Heine <[hidden email]> wrote:
Which protocols and ports is that GUI tool using for what it's doing with it's remote endpoint that requires kerberos authentication?

Am 14. März 2018 19:27:48 MEZ schrieb Patrick Nick <[hidden email]>:
Hi Enrico, 

You write
But squid cannot authenticate those requests on the destination server if it needs authentication as well.

So how do I make it NOT need authentication?
I want it to authenticate the request on behalf of the client, so that my client app does not need to authenticate.
Squid can use the keytab that I give it for that.
 

On Wed, Mar 14, 2018 at 7:22 PM, Enrico Heine <[hidden email]> wrote:
Hi,

Easy going, you can allow traffic from a specific source or traffic to a specific destination before you require authentication on the proxy. You can also restrict it to both, src and destination and additionaly specific ports. But squid cannot authenticate those requests on the destination server if it needs authentication as well.

Best regards,
Enrico


Am 14. März 2018 18:58:54 MEZ schrieb Patrick Nick <[hidden email]>:
Hello list, 

We are in the process of Kerberizing our Big Data operation, but we have a GUI tool in use that is not capable of Kerberos authentication. I'm looking for a way to keep using it, which means that it needs to read data from a Kerberos-protected service.

To be clear, I'm looking for a proxy that will take care of the authentication so that our GUI tool does not need to know. It should "enrich" the client's "dumb" request to an authenticated request. This lowers security of course, but I will use other means to make sure that only that app can talk to the proxy on the network.

I looked into nginx but didn't find a way to do what I want.

Can squid do this?
I've been trying some configs according to https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos, but it seems that it always wants to pass the "negotiate" request to the client, which I'm trying to avoid.

--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.


--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Amos Jeffries
Administrator
On 15/03/18 11:01, Patrick Nick wrote:
> It consumes the data for its graphs from a REST API via HTTP, on ports
> in the 8000-9000 range.
>

Then you can use cache_peer from the proxy to the origin server. See the
"AUTHENTICATION OPTIONS" section for how to send various types of
credentials to that peer.
<http://www.squid-cache.org/Doc/config/cache_peer/>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Patrick Nick
Thanks Amos, this sounded promising. Unfortunately the behavior I observe is not what I expect.
So I added the following config:

cache_peer my.company.webserver.net parent 8081 0 no-query login=NEGOTIATE:myPrincipal

But now squid still does not do the SPNEGO negotiation. I can see in the logs that it connects to the specified "parent" cache_peer, which returns "401 Unauthorized" as expected. But then squid just returns that to the client instead of sending another request with the Kerberos ticket to complete the negotiation.
Am I misunderstanding what's supposed to happen? 
Or am I not configuring it right? (The keytab is readable by the squid user)

On Thu, Mar 15, 2018 at 9:44 AM, Amos Jeffries <[hidden email]> wrote:
On 15/03/18 11:01, Patrick Nick wrote:
> It consumes the data for its graphs from a REST API via HTTP, on ports
> in the 8000-9000 range.
>

Then you can use cache_peer from the proxy to the origin server. See the
"AUTHENTICATION OPTIONS" section for how to send various types of
credentials to that peer.
<http://www.squid-cache.org/Doc/config/cache_peer/>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Amos Jeffries
Administrator
On 15/03/18 23:52, Patrick Nick wrote:
> Thanks Amos, this sounded promising. Unfortunately the behavior I
> observe is not what I expect.
> So I added the following config:
>
> cache_peer my.company.webserver.net <http://my.company.webserver.net>
> parent 8081 0 no-query login=NEGOTIATE:myPrincipal
>

Since this is an origin server and not a proxy it requires the
"originserver" option as well.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Patrick Nick
Thank you. It doesn't seem that the "originserver" makes a difference to may case though.

I was able to resolve my issue after I understood that I forgot to pay attention to cookies. The API expects the client to use cookies, which I didn't do until now, which resulted in a continuous "401 Unauthorized" loop.

I have more problems but will start a separate question for that.

On Thu, Mar 15, 2018 at 12:53 PM, Amos Jeffries <[hidden email]> wrote:
On 15/03/18 23:52, Patrick Nick wrote:
> Thanks Amos, this sounded promising. Unfortunately the behavior I
> observe is not what I expect.
> So I added the following config:
>
> cache_peer my.company.webserver.net <http://my.company.webserver.net>
> parent 8081 0 no-query login=NEGOTIATE:myPrincipal
>

Since this is an origin server and not a proxy it requires the
"originserver" option as well.


Amos


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Amos Jeffries
Administrator
On 17/03/18 06:41, Patrick Nick wrote:
> Thank you. It doesn't seem that the "originserver" makes a difference to
> may case though.
>
> I was able to resolve my issue after I understood that I forgot to pay
> attention to cookies. The API expects the client to use cookies, which I
> didn't do until now, which resulted in a continuous "401 Unauthorized" loop.
>

Ah, Cookies. The bane of the Internet. They can be dealt with, but you
are not going to like the difficulty level.

Your choices AFAIK (in order of easiest to seriously tricky) are to
write an eCAP module, ICAP service, or custom external ACL helper(s)
with fairly complex squid.conf settings to use the latter.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid as Kerberos client?

Eliezer Croitoru
I yet to fully understand the scenario but I might have some ready to use services for some of these options.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Saturday, March 17, 2018 15:48
To: Patrick Nick <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Squid as Kerberos client?

On 17/03/18 06:41, Patrick Nick wrote:
> Thank you. It doesn't seem that the "originserver" makes a difference to
> may case though.
>
> I was able to resolve my issue after I understood that I forgot to pay
> attention to cookies. The API expects the client to use cookies, which I
> didn't do until now, which resulted in a continuous "401 Unauthorized" loop.
>

Ah, Cookies. The bane of the Internet. They can be dealt with, but you
are not going to like the difficulty level.

Your choices AFAIK (in order of easiest to seriously tricky) are to
write an eCAP module, ICAP service, or custom external ACL helper(s)
with fairly complex squid.conf settings to use the latter.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users