Sun Oct 24 21:52:15 CEST 1999 Modified Files in squid/src acl.c cf.data.pre structs.h Merged squid-2.2.STABLE4.authenticate_ip_ttl.patch Squid-2.2.STABLE4: authenticate_ip_ttl squid.conf option With this option you can control how long a proxy authentication will be bound to a specific IP address. ----------------------------------------------------------------- Index: squid/src/acl.c diff -u squid/src/acl.c:1.1.1.38.2.4 squid/src/acl.c:1.1.1.38.2.5 --- squid/src/acl.c:1.1.1.38.2.4 Sun Oct 24 20:51:47 1999 +++ squid/src/acl.c Sun Oct 24 21:52:14 1999 @@ -1075,6 +1075,8 @@ /* store validated user in hash, after filling in expiretime */ xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); auth_user->expiretime = current_time.tv_sec + Config.authenticateTTL; + auth_user->ip_expiretime = current_time.tv_sec + Config.authenticateIpTTL; + auth_user->ipaddr = checklist->src_addr; hash_join(proxy_auth_cache, (hash_link *) auth_user); /* Continue checking below, as normal */ } @@ -1088,12 +1090,25 @@ return -1; } else if ((0 == strcmp(auth_user->passwd, password)) && (auth_user->expiretime > current_time.tv_sec)) { - /* user already known and valid */ - debug(28, 5) ("aclMatchProxyAuth: user '%s' previously validated\n", - user); - /* copy username to request for logging on client-side */ - xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); - return aclMatchUser(data, user); + if (checklist->src_addr.s_addr == auth_user->ipaddr.s_addr + || auth_user->ip_expiretime <= current_time.tv_sec) { + /* user already known and valid */ + debug(28, 5) ("aclMatchProxyAuth: user '%s' previously validated\n", + user); + /* copy username to request for logging on client-side */ + xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ); + auth_user->ip_expiretime = current_time.tv_sec + Config.authenticateIpTTL; + auth_user->ipaddr = checklist->src_addr; + return aclMatchUser(data, user); + } else { + /* user has switched to another IP addr */ + debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user); + /* remove this user from the hash, making him unknown */ + hash_remove_link(proxy_auth_cache, (hash_link *) auth_user); + aclFreeProxyAuthUser(auth_user); + /* require the user to reauthenticate */ + return -2; + } } else { /* password mismatch/timeout */ debug(28, 4) ("aclMatchProxyAuth: user '%s' password mismatch/timeout\n", Index: squid/src/cf.data.pre diff -u squid/src/cf.data.pre:1.1.1.40.2.8 squid/src/cf.data.pre:1.1.1.40.2.9 --- squid/src/cf.data.pre:1.1.1.40.2.8 Sun Oct 24 21:39:58 1999 +++ squid/src/cf.data.pre Sun Oct 24 21:45:35 1999 @@ -1031,6 +1031,26 @@ authenticate_ttl 3600 DOC_END +NAME: authenticate_ip_ttl +TYPE: int +LOC: Config.authenticateIpTTL +DEFAULT: 0 +DOC_START + Whith this option you control how long a proxy authentication + will be bound to a specific IP address. If a request using + the same user name is received during this time then access will + be denied and both users are required to reauthenticate them selves. + The idea behind this is to make it annoying for people to share + their password to their friends, but yet allow a dialup user to + reconnect on a different dialup port. + + The default is 0 to disable the check. Recommended value if you have + dialup users are no more than 60 (seconds). If all your users are + stationary then higher values may be used. + +authenticate_ip_ttl 0 +DOC_END + COMMENT_START OPTIONS FOR TUNING THE CACHE ----------------------------------------------------------------------------- Index: squid/src/structs.h diff -u squid/src/structs.h:1.1.1.41.2.12 squid/src/structs.h:1.1.1.41.2.13 --- squid/src/structs.h:1.1.1.41.2.12 Sun Oct 24 21:42:36 1999 +++ squid/src/structs.h Sun Oct 24 21:45:36 1999 @@ -75,6 +75,8 @@ char *passwd; int passwd_ok; /* 1 = passwd checked OK */ long expiretime; + struct in_addr ipaddr; /* IP addr this user authenticated from */ + time_t ip_expiretime; }; struct _acl_deny_info_list { @@ -300,6 +302,7 @@ int redirectChildren; int authenticateChildren; int authenticateTTL; + int authenticateIpTTL; struct { char *host; u_short port;