--------------------- PatchSet 1144 Date: 2001/01/07 02:44:54 Author: rbcollins Branch: auth_rewrite Tag: (none) Log: merge in ntlm Members: configure.in:1.1.1.3.10.17.2.8->1.1.1.3.10.17.2.9 makefile.in:1.1.1.3.10.3.2.1->1.1.1.3.10.3.2.2 lib/Makefile.in:1.1.1.2.10.2.2.3->1.1.1.2.10.2.2.4 src/cf.data.pre:1.1.1.3.4.1.2.18.2.14->1.1.1.3.4.1.2.18.2.15 Index: squid/configure.in =================================================================== RCS file: /cvsroot/squid-sf//squid/configure.in,v retrieving revision 1.1.1.3.10.17.2.8 retrieving revision 1.1.1.3.10.17.2.9 diff -u -r1.1.1.3.10.17.2.8 -r1.1.1.3.10.17.2.9 --- squid/configure.in 5 Jan 2001 05:36:01 -0000 1.1.1.3.10.17.2.8 +++ squid/configure.in 7 Jan 2001 02:44:54 -0000 1.1.1.3.10.17.2.9 @@ -3,13 +3,13 @@ dnl dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9) dnl -dnl $Id: configure.in,v 1.1.1.3.10.17.2.8 2001/01/05 05:36:01 rbcollins Exp $ +dnl $Id: configure.in,v 1.1.1.3.10.17.2.9 2001/01/07 02:44:54 rbcollins Exp $ dnl dnl dnl AC_INIT(src/main.c) AC_CONFIG_HEADER(include/autoconf.h) -AC_REVISION($Revision: 1.1.1.3.10.17.2.8 $)dnl +AC_REVISION($Revision: 1.1.1.3.10.17.2.9 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AC_CONFIG_AUX_DIR(cfgaux) @@ -680,9 +680,9 @@ AC_ARG_ENABLE(auth, [ --enable-auth=\"list of auth scheme modules\" Build support for the list of authentication schemes. - The default is build the Basic scheme. + The default is build Basic and NTLM schemes. See src/auth for a list of available modules, or - Programmers Guide section + Programmers Guide section authentication schemes for details on how to build your custom auth scheme module], [ case $enableval in @@ -700,7 +700,7 @@ esac ], [ if test -z "$AUTH_MODULES"; then - AUTH_MODULES="basic" + AUTH_MODULES="basic ntlm" fi ]) echo "Auth scheme modules built: $AUTH_MODULES" @@ -733,10 +733,38 @@ esac ]) if test -n "$AUTH_BASIC_MODULES"; then - echo "Auth modules built: $AUTH_BASIC_MODULES" + echo "Basic auth modules built: $AUTH_BASIC_MODULES" fi AC_SUBST(AUTH_BASIC_MODULES) +dnl Select ntlm auth modules to build +NTLM_AUTH_MODULES= +AC_ARG_ENABLE(ntlm-auth-modules, +[ --enable-ntlm-auth-modules=\"list of modules\" + This option selects which proxy_auth ntlm helper + modules to build and install as part of the normal + build process. For a list of available modules see + the ntlm_auth_modules directory.], +[ case "$enableval" in + yes) + for module in $srcdir/ntlm_auth_modules/*; do + if test -f $module/Makefile.in; then + NTLM_AUTH_MODULES="$NTLM_AUTH_MODULES `basename $module`" + fi + done + ;; + no) + ;; + *) + NTLM_AUTH_MODULES="`echo $enableval| sed -e 's/,/ /g;s/ */ /g'`" + esac +]) +if test -n "$NTLM_AUTH_MODULES"; then + echo "NTLM auth modules built: $NTLM_AUTH_MODULES" +fi +AC_SUBST(NTLM_AUTH_MODULES) + + dnl Disable "unlinkd" code AC_ARG_ENABLE(unlinkd, [ --disable-unlinkd Do not use unlinkd], @@ -1758,6 +1786,19 @@ fi done +NTLM_AUTH_MAKEFILES="" +for module in $srcdir/ntlm_auth_modules/*; do + if test -f $module/Makefile.in; then + NTLM_AUTH_MAKEFILES="$NTLM_AUTH_MAKEFILES ./ntlm_auth_modules/`basename $module`/Makefile" + for submodule in $module/*; do + if test -f $submodule/Makefile.in; then + NTLM_AUTH_MAKEFILES="$NTLM_AUTH_MAKEFILES ./ntlm_auth_modules/`basename $module`/`basename $submodule`/Makefile" + fi + done + fi +done + + AC_OUTPUT(\ ./makefile \ ./lib/Makefile \ @@ -1778,4 +1819,6 @@ $AUTH_SCHEME_MAKEFILES \ ./auth_modules/Makefile \ $AUTH_MAKEFILES \ + ./ntlm_auth_modules/Makefile \ + $NTLM_AUTH_MAKEFILES \ ) Index: squid/makefile.in =================================================================== RCS file: /cvsroot/squid-sf//squid/Attic/makefile.in,v retrieving revision 1.1.1.3.10.3.2.1 retrieving revision 1.1.1.3.10.3.2.2 diff -u -r1.1.1.3.10.3.2.1 -r1.1.1.3.10.3.2.2 --- squid/makefile.in 14 Dec 2000 11:24:03 -0000 1.1.1.3.10.3.2.1 +++ squid/makefile.in 7 Jan 2001 02:44:54 -0000 1.1.1.3.10.3.2.2 @@ -1,4 +1,4 @@ -# $Id: makefile.in,v 1.1.1.3.10.3.2.1 2000/12/14 11:24:03 rbcollins Exp $ +# $Id: makefile.in,v 1.1.1.3.10.3.2.2 2001/01/07 02:44:54 rbcollins Exp $ # srcdir = @srcdir@ @@ -14,7 +14,7 @@ prefix = @prefix@ exec_prefix = @exec_prefix@ -SUBDIRS = lib @makesnmplib@ scripts src icons errors auth_modules +SUBDIRS = lib @makesnmplib@ scripts src icons errors auth_modules ntlm_auth_modules noargs: all @@ -38,6 +38,7 @@ rm -f config.log makefile rm -f include/paths.h include/autoconf.h include/config.h rm -f auth_modules/dummy + rm -f ntlm_auth_modules/dummy @for dir in $(SUBDIRS) contrib; do \ echo Making distclean in $$dir; \ (cd $$dir; $(MAKE) $(MFLAGS) prefix="$(prefix)" distclean); \ Index: squid/lib/Makefile.in =================================================================== RCS file: /cvsroot/squid-sf//squid/lib/Attic/Makefile.in,v retrieving revision 1.1.1.2.10.2.2.3 retrieving revision 1.1.1.2.10.2.2.4 diff -u -r1.1.1.2.10.2.2.3 -r1.1.1.2.10.2.2.4 --- squid/lib/Makefile.in 14 Dec 2000 11:21:33 -0000 1.1.1.2.10.2.2.3 +++ squid/lib/Makefile.in 7 Jan 2001 02:44:55 -0000 1.1.1.2.10.2.2.4 @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.1.1.2.10.2.2.3 2000/12/14 11:21:33 rbcollins Exp $ +# $Id: Makefile.in,v 1.1.1.2.10.2.2.4 2001/01/07 02:44:55 rbcollins Exp $ # prefix = @prefix@ top_srcdir = @top_srcdir@ @@ -43,7 +43,8 @@ $(LIBOBJS) REGEXOBJS = GNUregex.o DLMALLOCOBJS = dlmalloc.o -LIBS = libmiscutil.a @LIBREGEX@ @LIBDLMALLOC@ +NTLMAUTHOBJS = ntlmauth.o +LIBS = libmiscutil.a @LIBREGEX@ @LIBDLMALLOC@ libntlmauth.a CFLAGS = $(AC_CFLAGS) $(INCLUDE) @@ -66,6 +67,11 @@ $(AR_R) $@ $(DLMALLOCOBJS) $(RANLIB) $@ +libntlmauth.a: $(NTLMAUTHOBJS) + $(RM) -f $@ + $(AR_R) $@ $(NTLMAUTHOBJS) + $(RANLIB) $@ + clean: -rm -f *.o $(LIBS) core Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.1.1.3.4.1.2.18.2.14 retrieving revision 1.1.1.3.4.1.2.18.2.15 diff -u -r1.1.1.3.4.1.2.18.2.14 -r1.1.1.3.4.1.2.18.2.15 --- squid/src/cf.data.pre 7 Jan 2001 00:37:02 -0000 1.1.1.3.4.1.2.18.2.14 +++ squid/src/cf.data.pre 7 Jan 2001 02:44:55 -0000 1.1.1.3.4.1.2.18.2.15 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.14 2001/01/07 00:37:02 hno Exp $ +# $Id: cf.data.pre,v 1.1.1.3.4.1.2.18.2.15 2001/01/07 02:44:55 rbcollins Exp $ # # # SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -1174,8 +1174,46 @@ If you are using such a system, you will be vulnerable to replay attacks unless you also enable the IP ttl is strict option. + === NTLM scheme options follow === + + "program" cmdline + Specify the command for the external ntlm authenticator. Such a + program reads a line containing the uuencoded NEGOTIATE and replies + with the ntlm CHALLENGE, then waits for the response and answers with + "OK" or "ERR" in an endless loop. If you use an ntlm authenticator, + make sure you have 1 acl of type proxy_auth. By default, the + ntlm authenticator_program is not used. + + auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth + + "children" numberofchildren + The number of authenticator processes to spawn (no default). If you + start too few Squid will have to wait for them to process a backlog + of credential verifications, slowing it down. When crendential + verifications are done via a (slow) network you are likely to need + lots of authenticator processes. + auth_param ntlm children 5 + + "max_challenge_reuses" number + The maximum number of times a challenge given by a ntlm authentication + helper can be reused. Increasing this number increases your exposure + to replay attacks on your network. 0 means use the challenge only once. + (disable challenge caching) + See max_ntlm_challenge_lifetime for more information. + auth_param ntlm max_challenge_reuses 0 + + "max_challenge_lifetime" timespan + The maximum time period that a ntlm challenge is reused over. + The actual period will be the minimum of this time AND the number of + reused challenges. + auth_param ntlm max_challenge_lifetime 2 minutes + NOCOMMENT_START #Recommended minimum configuration: +#auth_param ntlm program +auth_param ntlm children 5 +auth_param ntlm max_challenge_reuses 0 +auth_param ntlm max_challenge_lifetime 2 minutes #auth_param basic program auth_param basic children 5 auth_param basic realm Squid proxy-caching web server