Topic: Using the NCSA authentication module with Squid on 4.1

[OSD]

Hello!

I am trying to set up user/password authentification on squid on my e-smith 4.1 server.

Reading of http://squid-docs.sourceforge.net/latest/html/x1560.htm explains:

"Squid uses modules to do user authentication, rather than including code to do it directly. The default Squid source does, however, include two standard modules; The first authenticates users from a file, the other uses SMB (Windows NT) authentication. These modules are in the auth_modules directory in the source directory. These modules are not compiled when you compile Squid itself, and you will need to chooes an authentication module and run make in the appropriate directory. If the compile goes well, a make install will place the program file in the /usr/local/squid/bin/ directory and any config files in the /usr/local/squid/etc/ directory."

I want to use the NCSA authentification module but can't find it on my e-smith box.  Is it there somewhere but i can't find it?  If not, is there an rpm available?

Also,
"To use the NCSA authentication module, you will need to add the following line to your squid.conf:

authenticate_program /usr/local/squid/bin/ncsa_auth /usr/local/squid/etc/passwd
You will also need to create the appropriate password file (/usr/local/squid/etc/passwd in the example above). This file consists of a username and password pair, one per line, where the username and password are seperated by a colon (, just as they are in your /etc/passwd file (assuming you are running Unix). The password is encrypted with the same function as the passwords in /etc/passwd (or /etc/shadow on newer systems) are. Here is an example password line:

oskar:lKdpxbNzhlo.w
Since the encrypted passwords are the same, you could simply copy the system password file periodically, since the ncsa_auth module understands the /etc/passwd or /etc/shadow file format. If your users do not already have passwords in unix crypt format somewhere, you will have to use the htpasswd program to generate the appropriate user and password pairs. This program is included in the /usr/local/squid/bin/ directory."

Ideally I would like to modify the scripts that are run from the admin web interface when a user password is reset and the e-smith-password web page so that when the e-smith box's passwords are changed the /etc/passwd file is automatically copied to squid/etc/passwd file.  (i can't find the squid/etc directory either?).

Has anybody already achieved this?  Or am I on the wrong track?  Any pointers would be gratefully received.

Many Thanks.

[OSD]

That was a bit long winded!

I guess that the main point I'm trying to ask is:

in the /etc/e-smith/templates/etc/squid/squid.conf/template-begin file it says

"specify the command for the external authenticator.  Such a program reads a line containing "user password" and replies OK or ERR in an endless loop.  If you use an authenticator, make sure you have 1 acl of type prox_auth.  By default,  the authenticator_program is not used.

If you want to use the traditional proxy authentication jump over to the ../auth_modules/NCSA directory and type:   %make  %make install   then set the following to authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd


My problem is that I can't find the ../auth_modules/NCSA directory.
Any help would be very much appreciated.
(Its not urgent though as I'm going away tomorrow for a week)

Many thanks.

[Tim Litwiller]

I can compile it and send it to you if you would like, I am trying to use the PAM authentication, it works great in a REDHAT 7.0 box but I can't get it to work on a esmith so I might just try the ncsa authentication.  Once the system is setup and all the current users setup you should be ok, unless you have a place with a high turnover rate.

[OSD]

Thanks!
Excellent!  Would be very grateful if you could.  Thanks.
A little over a week ago I tried following the instructions for the pam_auth at http://linux.made-to-order.net/article.php&mode=thread&order=0 but didn't get it to work.  Are there advantages in using the pam_auth rather than ncsa?  If there are then perhaps I will try that again this week but would be really grateful if you could still send me the ncsa compilation.
I'm trying to set it up at home now, so that in a month or two I can replace NT on our webserver in the school that I teach in.  There are 100 or so staff and the turnover is very low so I'm hoping that this will be the answer as teachers will have internet access but pupils won't unless they know the one pupil username and password.
Thanks again!

[Tim Litwiller]

I will post it today as a download on linux.made-to-order.net.  PAM is working fine on my Redhat 7 but I can not make squid run the pam_auth to authenticate even using suid and trying all the different methods mentioned in all the documentation that I could find.  I don't know if ncsa_auth needs to run as root like pam_auth does, if so then I would anticipate the same problem if not then if should work fine.

One though I had with copying the /etc/shadow is to have a cron job do it nightly, but then after adding a new user it would take till the next day for internet access to be authorized.

[Tim Litwiller]

I found the problem with my howto and my configuration,  It was a simple typo on the word "required".  

so now it needs testing http://linux.made-to-order.net