-------------------------------------------------------------------------------- readme.txt is the squid_kerb_auth read-me file. Author: Markus Moeller (markus_moeller at compuserve.com) Copyright (C) 2007 Markus Moeller. All rights reserved. -------------------------------------------------------------------------------- squid_kerb_auth Read Me Markus Moeller May 12, 2007 1 Introduction squid_kerb_auth is a reference implementation that supports authentication via the Negotiate RFC 4559 for proxies. It decodes RFC 2478 SPNEGO GSS-API tokens from IE7 either through helper functions or via SPNEGO supporting Kerberos libraries and RFC 1964 Kerberos tokens from Firefox on Linux. Currently, squid_kerb_auth supports Squid 2.6 on Linux. squid_auth_kerb requires either MIT or Heimdal Kerberos libraries and header files. 2 Building and Installation # Linux: # -D__LITTLE_ENDIAN__ # Solaris: # -D__BIG_ENDIAN__ # #DEFINE_SPNEGO=-DHAVE_SPNEGO #HEIMDAL # DEFINE="-DHEIMDAL $DEFINE_SPNEGO -D__LITTLE_ENDIAN__" # INCLUDE=-I/usr/include/heimdal -Ispnegohelp # LIBS="-lgssapi -lkrb5 -lcom_err -lasn1 -lroken" #MIT DEFINE="$DEFINE_SPNEGO -D__LITTLE_ENDIAN__" INCLUDE=-Ispnegohelp LIBS="-lgssapi_krb5 -lkrb5 -lcom_err" # SPNEGO="spnegohelp/derparse.c spnegohelp/spnego.c spnegohelp/spnegohelp.c spnegohelp/spnegoparse.c" SOURCE="squid_kerb_auth.c base64.c" gcc -o squid_kerb_auth $DEFINE $INCLUDE $SOURCE $SPNEGO $LIBS Copy the helper squid_kerb_auth to an apropriate directory. 3 Configuration a) Configure IE or Firefox to point to the squid proxy by using the fqdn. IE and Firefox will use the fqdn to query for a HTTP/fqdn Kerberos service principal. b) Create a keytab which contains the HTTP/fqdn Kerberos service principal and place it into a directory where the squid run user can read the keytab. c) Add the following line to squid.conf auth_param negotiate program /usr/sbin/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on d) Modify squid startup file Add the following lines to the squid startup script to point squid to a keytab file which contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be the proxy name set in IE or firefox. You can not use an IP address. KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME If you use a different Kerberos domain than the machine itself is in you can point squid to the seperate Kerberos config file by setting the following environmnet variable in the startup script. KRB5_CONFIG=/etc/krb-squid5.conf export KRB5_CONFIG 4 Miscellaneous The -i options creates informational messages whereas -d creates full debug output If squid_kerb_auth doesn't determine for some reason the right service principal you can provide it with -s HTTP/fqdn. If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth.