Suppressing authentication schemes

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Suppressing authentication schemes

Philipp Gesang
Hi,

a while back we received a report from a customer that Windows
hosts will not fall back on conventional authentication
mechanisms if Squid advertises Negotiate. That is unfortunate as
not all systems in that customer’s network are Kerberos enabled;
some of them should just continue using other authentication
schemes. (We don’t do NTLM.)

To deal with the situation we are patching Squid to selectively
omit the Negotiate mechanism in the initial reply via the notes
mechanism. That seems to do the job reasonably well judging by
the silence from the customer since we rolled out the patch some
time last year. A version of that patch against 5.0.1 is
attached; it’s completely untested though as we’re still on
3.5.28 but it should serve as example for what I mean.

Naturally we would prefer a solution that doesn’t involve
patching so if there’s already a built-in alternative that we
could use instead, I’d appreciate a pointer. If not, what would
have to be done to get this functionality into the official
release?

Thank you and stay healthy everyone,
Philipp


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

0001-allow-blacklisting-authentication-mechanisms.patch (4K) Download Attachment
signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Suppressing authentication schemes

Alex Rousskov
On 10/20/20 8:41 AM, Philipp Gesang wrote:

> a while back we received a report from a customer that Windows
> hosts will not fall back on conventional authentication
> mechanisms if Squid advertises Negotiate. That is unfortunate as
> not all systems in that customer’s network are Kerberos enabled

We have added the auth_schemes directive to address this and similar
problems. Unfortunately, the squid.conf renderer on the official site
does not include v5+ options, but you can see raw documentation at
https://github.com/squid-cache/squid/blob/710f160/src/cf.data.pre#L2139

HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Suppressing authentication schemes

Philipp Gesang
Hey Alex,

On Tuesday, 2020-10-20 09:53:45 -0400 Alex Rousskov <[hidden email]> wrote
> > a while back we received a report from a customer that Windows
> > hosts will not fall back on conventional authentication
> > mechanisms if Squid advertises Negotiate. That is unfortunate as
> > not all systems in that customer’s network are Kerberos enabled
>
> We have added the auth_schemes directive to address this and similar
> problems. Unfortunately, the squid.conf renderer on the official site
> does not include v5+ options, but you can see raw documentation at
> https://github.com/squid-cache/squid/blob/710f160/src/cf.data.pre#L2139

fantastic, thanks! That looks like it’s exactly what we need. So this
will be a 5.x only feature?

Philipp

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Suppressing authentication schemes

Alex Rousskov
On 10/20/20 10:44 AM, Philipp Gesang wrote:

> On Tuesday, 2020-10-20 09:53:45 -0400 Alex Rousskov wrote
>>> a while back we received a report from a customer that Windows
>>> hosts will not fall back on conventional authentication
>>> mechanisms if Squid advertises Negotiate. That is unfortunate as
>>> not all systems in that customer’s network are Kerberos enabled
>>
>> We have added the auth_schemes directive to address this and similar
>> problems. Unfortunately, the squid.conf renderer on the official site
>> does not include v5+ options, but you can see raw documentation at
>> https://github.com/squid-cache/squid/blob/710f160/src/cf.data.pre#L2139

> That looks like it’s exactly what we need. So this will be a 5.x only
> feature?

It is a v5+ feature (i.e. it is in v5 now and should be in v6, v7, etc.).

You can, of course, lobby Amos, the v4 maintainer, for making a policy
exception and officially including (a backport of) auth_schemes into v4.
Factory may even have a v4-based branch somewhere that we can resurrect
as a starting point for that backporting effort.


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Suppressing authentication schemes

Philipp Gesang
On Tuesday, 2020-10-20 10:59:41 -0400 Alex Rousskov <[hidden email]> wrote

> On 10/20/20 10:44 AM, Philipp Gesang wrote:
> > On Tuesday, 2020-10-20 09:53:45 -0400 Alex Rousskov wrote
> >>> a while back we received a report from a customer that Windows
> >>> hosts will not fall back on conventional authentication
> >>> mechanisms if Squid advertises Negotiate. That is unfortunate as
> >>> not all systems in that customer’s network are Kerberos enabled
> >>
> >> We have added the auth_schemes directive to address this and similar
> >> problems. Unfortunately, the squid.conf renderer on the official site
> >> does not include v5+ options, but you can see raw documentation at
> >> https://github.com/squid-cache/squid/blob/710f160/src/cf.data.pre#L2139
>
> > That looks like it’s exactly what we need. So this will be a 5.x only
> > feature?
>
> It is a v5+ feature (i.e. it is in v5 now and should be in v6, v7, etc.).
How far away in the future do you think is an official v5 release
from now? Going by the git log it’s been in the making for quite
a while.

> You can, of course, lobby Amos, the v4 maintainer, for making a policy
> exception and officially including (a backport of) auth_schemes into v4.
> Factory may even have a v4-based branch somewhere that we can resurrect
> as a starting point for that backporting effort.

As a last resort, maybe. I’d rather see that effort invested in
moving ahead with v5. ;)

Best regards,
Philipp


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Suppressing authentication schemes

Amos Jeffries
Administrator
On 21/10/20 7:53 pm, Philipp Gesang wrote:

> On Tuesday, 2020-10-20 10:59:41 -0400 Alex Rousskov wrote
>> On 10/20/20 10:44 AM, Philipp Gesang wrote:
>>> On Tuesday, 2020-10-20 09:53:45 -0400 Alex Rousskov wrote
>>>>> a while back we received a report from a customer that Windows
>>>>> hosts will not fall back on conventional authentication
>>>>> mechanisms if Squid advertises Negotiate. That is unfortunate as
>>>>> not all systems in that customer’s network are Kerberos enabled
>>>>
>>>> We have added the auth_schemes directive to address this and similar
>>>> problems. Unfortunately, the squid.conf renderer on the official site
>>>> does not include v5+ options, but you can see raw documentation at
>>>> https://github.com/squid-cache/squid/blob/710f160/src/cf.data.pre#L2139
>>
>>> That looks like it’s exactly what we need. So this will be a 5.x only
>>> feature?
>>
>> It is a v5+ feature (i.e. it is in v5 now and should be in v6, v7, etc.).
>
> How far away in the future do you think is an official v5 release
> from now? Going by the git log it’s been in the making for quite
> a while.

There are a few criteria. The current stage of beta release is waiting
on there being no major bugs added by Version 5:

 <https://bugs.squid-cache.org/buglist.cgi?bug_id_type=anyexact&bug_severity=blocker&bug_severity=critical&bug_severity=major&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&columnlist=bug_severity%2Cversion%2Cop_sys%2Cshort_desc&f1=version&list_id=7846&o1=lessthaneq&o2=equals&order=version%20DESC%2Cbug_severity%2Cbug_id&product=Squid&query_format=advanced&v1=5&v2=unspecified>

The ones with Vers saying "5" are release blockers. Older ones are
wishlist as far as release goes.

After that we need at least half a beta release cycle with no new major
bugs being found.


>
>> You can, of course, lobby Amos, the v4 maintainer, for making a policy
>> exception and officially including (a backport of) auth_schemes into v4.
>> Factory may even have a v4-based branch somewhere that we can resurrect
>> as a starting point for that backporting effort.
>
> As a last resort, maybe. I’d rather see that effort invested in
> moving ahead with v5. ;)
>

All assistance welcome. Since you are going to use the auth_schemes
feature working on <https://bugs.squid-cache.org/show_bug.cgi?id=4832>
should be a good mutual RoI.


Alternatively, <https://github.com/squid-cache/squid/pull/308> is needed
by Squid but original author no longer has interest in doing the polish
to pass our QA process.


Cheers,
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users