The Story of secure user-authentication in squid

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Isaac on Server Fault See other posts from Server Fault or by Isaac
Published on 2010-06-16T12:28:58Z Indexed on 2010/06/16 14:03 UTC
Read the original article Hit count: 248

Filed under:
|
|
|
|

once upon a time, there was a beautiful warm virtual-jungle in south america, and a squid server lived there. here is an perceptual image of the network:

                 <the Internet>
                        | 
                        | 
           A            |          B
Users <---------> [squid-Server] <---> [LDAP-Server]

When the Users request access to the Internet, squid ask their name and passport, authenticate them by LDAP and if ldap approved them, then he granted them.

Everyone was happy until some sniffers stole passport in path between users and squid [path A]. This disaster happened because squid used Basic-Authentication method.

The people of jungle gathered to solve the problem. Some bunnies offered using NTLM of method. Snakes prefered Digest-Authentication while Kerberos recommended by trees.

After all, many solution offered by people of jungle and all was confused! The Lion decided to end the situation. He shouted the rules for solutions:

  • Shall the solution be secure!
  • Shall the solution work for most of browsers and softwares (e.g. download softwares)
  • Shall the solution be simple and do not need other huge subsystem (like Samba server)
  • Shall not the method depend on special domain. (e.g. Active Directory)

Then, a very resonable-comprehensive-clever solution offered by a monkey, making him the new king of the jungle!

can you guess what was the solution?

Tip: The path between squid and LDAP is protected by the lion, so the solution have not to secure it.

Note: sorry if the story is boring and messy, but most of it is real! =)

                /~\/~\/~\
             /\~/~\/~\/~\/~\
           ((/~\/~\/~\/~\/~\))
         (/~\/~\/~\/~\/~\/~\/~\)
        (////     ~   ~     \\\\)
        (\\\\(   (0) (0)   )////)
        (\\\\(   __\-/__   )////)
         (\\\(     /-\     )///)
          (\\\(  (""""")  )///)
           (\\\(  \^^^/  )///)
            (\\\(       )///)
              (\/~\/~\/~\/)         **
                (\/~\/~\/)        *####*
                 |     |           ****
                /| | | |\            \\
             _/  | | | | \_ _________//   Thanks!
            (,,)(,,)_(,,)(,,)--------'

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about security

Related posts about authentication

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle