NAME¶
negotiate_kerberos_auth - Squid kerberos based authentication helper
Version 3.0.4sq
SYNOPSIS¶
negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s
Service-Principal-Name]
DESCRIPTION¶
negotiate_kerberos_auth is an installed binary and allows Squid to
authenticate users via the Negotiate protocol and Kerberos.
OPTIONS¶
- -h
- Display the binary help and command line syntax info using
stderr.
- -d
- Write debug messages to stderr.
- -i
- Write informational messages to stderr.
- -r
- Remove realm from username before returning the username to
squid.
- -s Service-Principal-name
- Provide Service Principal Name.
CONFIGURATION¶
This helper is intended to be used as an
authentication helper in
squid.conf.
auth_param negotiate program /path/to/negotiate_kerberos_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
NOTE: The following squid startup file modification may be required:
Add the following lines to the squid startup script to point squid to a keytab
file which contains the HTTP/fqdn service principal for the default Kerberos
domain. The fqdn must be the proxy name set in IE or firefox. You can not use
an IP address.
KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is in you can
point squid to the seperate Kerberos config file by setting the following
environmnet variable in the startup script.
KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG
Kerberos can keep a replay cache to detect the reuse of Kerberos tickets
(usually only possible in a 5 minute window) . If squid is under high load
with Negotiate(Kerberos) proxy authentication requests the replay cache checks
can create high CPU load. If the environment does not require high security
the replay cache check can be disabled for MIT based Kerberos implementations
by adding the following to the startup script
KRB5RCACHETYPE=none export KRB5RCACHETYPE
If negotiate_kerberos_auth doesn't determine for some reason the right service
principal you can provide it with -s HTTP/fqdn.
If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal
per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with
negotiate_kerberos_auth.
AUTHOR¶
This program was written by
Markus Moeller
<markus_moeller@compuserve.com>
This manual was written by
Markus Moeller
<markus_moeller@compuserve.com>
COPYRIGHT¶
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or later
(GPLv2+).
QUESTIONS¶
Questions on the usage of this program can be sent to the
Squid Users mailing
list <squid-users@squid-cache.org>
REPORTING BUGS¶
Bug reports need to be made in English. See
http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need
to include with your bug report.
Report bugs or bug fixes using
http://bugs.squid-cache.org/
Report serious security bugs to
Squid Bugs
<squid-bugs@squid-cache.org>
Report ideas for new improvements to the
Squid Developers mailing list
<squid-dev@squid-cache.org>
SEE ALSO¶
squid(8)
ext_kerberos_ldap_group_acl(8)
RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft
Windows,
RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
The Squid FAQ wiki
http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual
http://www.squid-cache.org/Doc/config/
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos