--------------------- PatchSet 2021 Date: 2005/10/30 17:26:10 Author: serassio Branch: nt Tag: (none) Log: Renamed Windows native basic helper from win32_locallogon to mswin_sspi Members: configure.in:1.26.2.64->1.26.2.65 helpers/basic_auth/Makefile.am:1.3.16.2->1.3.16.3 helpers/basic_auth/mswin_sspi/.cvsignore:1.1->1.1.2.1 helpers/basic_auth/mswin_sspi/Makefile.am:1.1->1.1.2.1 helpers/basic_auth/mswin_sspi/README.txt:1.1->1.1.2.1 helpers/basic_auth/mswin_sspi/mswin_auth.c:1.1->1.1.2.1 helpers/basic_auth/mswin_sspi/valid.c:1.1->1.1.2.1 helpers/basic_auth/mswin_sspi/valid.h:1.1->1.1.2.1 helpers/basic_auth/win32_locallogon/.cvsignore:1.1.2.1->1.1.2.2(DEAD) helpers/basic_auth/win32_locallogon/Makefile.am:1.2.18.3->1.2.18.4(DEAD) helpers/basic_auth/win32_locallogon/NT_auth.c:1.2.18.4->1.2.18.5(DEAD) helpers/basic_auth/win32_locallogon/README.txt:1.2.18.4->1.2.18.5(DEAD) helpers/basic_auth/win32_locallogon/valid.c:1.2.18.3->1.2.18.4(DEAD) helpers/basic_auth/win32_locallogon/valid.h:1.2.18.4->1.2.18.5(DEAD) Index: squid3/configure.in =================================================================== RCS file: /cvsroot/squid-sf//squid3/configure.in,v retrieving revision 1.26.2.64 retrieving revision 1.26.2.65 diff -u -r1.26.2.64 -r1.26.2.65 --- squid3/configure.in 30 Oct 2005 16:56:35 -0000 1.26.2.64 +++ squid3/configure.in 30 Oct 2005 17:29:09 -0000 1.26.2.65 @@ -3,7 +3,7 @@ dnl dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9) dnl -dnl $Id: configure.in,v 1.26.2.64 2005/10/30 16:56:35 serassio Exp $ +dnl $Id: configure.in,v 1.26.2.65 2005/10/30 17:29:09 serassio Exp $ dnl dnl dnl @@ -13,7 +13,7 @@ AC_CONFIG_AUX_DIR(cfgaux) AM_INIT_AUTOMAKE(squid, 3.0-PRE3-NT-CVS) AM_CONFIG_HEADER(include/autoconf.h) -AC_REVISION($Revision: 1.26.2.64 $)dnl +AC_REVISION($Revision: 1.26.2.65 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AM_MAINTAINER_MODE @@ -2960,7 +2960,7 @@ helpers/basic_auth/NCSA/Makefile \ helpers/basic_auth/PAM/Makefile \ helpers/basic_auth/SMB/Makefile \ - helpers/basic_auth/win32_locallogon/Makefile \ + helpers/basic_auth/mswin_sspi/Makefile \ helpers/basic_auth/YP/Makefile \ helpers/basic_auth/getpwnam/Makefile \ helpers/basic_auth/multi-domain-NTLM/Makefile \ Index: squid3/helpers/basic_auth/Makefile.am =================================================================== RCS file: /cvsroot/squid-sf//squid3/helpers/basic_auth/Makefile.am,v retrieving revision 1.3.16.2 retrieving revision 1.3.16.3 diff -u -r1.3.16.2 -r1.3.16.3 --- squid3/helpers/basic_auth/Makefile.am 2 Jul 2005 10:16:22 -0000 1.3.16.2 +++ squid3/helpers/basic_auth/Makefile.am 30 Oct 2005 17:26:10 -0000 1.3.16.3 @@ -1,7 +1,7 @@ # Makefile for storage modules in the Squid Object Cache server # -# $Id: Makefile.am,v 1.3.16.2 2005/07/02 10:16:22 serassio Exp $ +# $Id: Makefile.am,v 1.3.16.3 2005/10/30 17:26:10 serassio Exp $ # -DIST_SUBDIRS = getpwnam LDAP MSNT multi-domain-NTLM NCSA PAM SMB YP SASL win32_locallogon +DIST_SUBDIRS = getpwnam LDAP MSNT multi-domain-NTLM NCSA PAM SMB YP SASL mswin_sspi SUBDIRS = @BASIC_AUTH_HELPERS@ --- /dev/null Wed Feb 14 13:33:00 2007 +++ squid3/helpers/basic_auth/mswin_sspi/.cvsignore Wed Feb 14 13:35:26 2007 @@ -0,0 +1,4 @@ +.cvsignore +Makefile.in +Makefile +.deps --- /dev/null Wed Feb 14 13:33:00 2007 +++ squid3/helpers/basic_auth/mswin_sspi/Makefile.am Wed Feb 14 13:35:26 2007 @@ -0,0 +1,19 @@ +# +# Makefile for the Squid Object Cache server +# +# $Id: Makefile.am,v 1.1.2.1 2005/10/30 17:26:10 serassio Exp $ +# +# Uncomment and customize the following to suit your needs: +# + + +libexec_PROGRAMS = mswin_auth + +win32_auth_SOURCES = mswin_auth.c valid.c valid.h + +LDADD = -L$(top_builddir)/lib -lnetapi32 -ladvapi32 -lsspwin32 \ + -lmiscutil $(XTRA_LIBS) + +INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)/src + +EXTRA_DIST = README.txt --- /dev/null Wed Feb 14 13:33:00 2007 +++ squid3/helpers/basic_auth/mswin_sspi/README.txt Wed Feb 14 13:35:26 2007 @@ -0,0 +1,101 @@ +This is a simple authentication module for the Squid proxy server running on Windows NT +to authenticate users on an NT domain in native WIN32 mode. + +Usage is simple. It accepts a username and password on standard input +and will return OK if the username/password is valid for the domain/machine, +or ERR if there was some problem. +It's possible to authenticate against NT trusted domains specifyng the username +in the domain\\username Microsoft notation. + + +============== +Program Syntax +============== + +mswin_auth [-A UserGroup][-D UserGroup][-O DefaultDomain][-d] + +-A can specify a Windows Local Group name allowed to authenticate. +-D can specify a Windows Local Group name not allowed to authenticate. +-O can specify the default Domain against to authenticate. +-d enable debugging. + +This is released under the GNU General Public License. + + +============== +Allowing Users +============== + +Users that are allowed to access the web proxy must have the Windows NT +User Rights "logon from the network" and must be included in the NT LOCAL User Groups +specified in the Authenticator's command line. +This can be accomplished creating a local user group on the NT machine, grant the privilege, +and adding users to it. + +Refer to Squid documentation for the required changes to squid.conf. + + +============ +Installation +============ + +Type 'make', then 'make install', then 'make clean'. + +On Cygwin the default is to install 'mswin_auth' into /usr/local/squid/libexec, +with other Windows environments into c:/squid/libexec. + +Refer to Squid documentation for the required changes to squid.conf. +You will need to set the following line to enable the authenticator: + +auth_param basic program /usr/local/squid/libexec/mswin_auth [options] + +or + +auth_param basic program c:/squid/libexec/mswin_auth [options] + +You will need to set the following lines to enable authentication for +your access list - + + acl proxy_auth REQUIRED + http_access allow + +You will need to specify the absolute path to mswin_auth in the +'auth_param basic program' directive, and check the 'auth_param basic children' +and 'auth_param basic credentialsttl'. + + +================== +Compilation issues +================== + +The Makefile assumes that GCC is in the current PATH. +mswin_auth compile ONLY on Cygwin Environment, MinGW + MSYS Environment +or MS VC++. + + +======= +Testing +======= + +I strongly urge that mswin_auth is tested prior to being used in a +production environment. It may behave differently on different platforms. +To test it, run it from the command line. Enter username and password +pairs separated by a space. Press ENTER to get an OK or ERR message. +Make sure pressing behaves the same as a carriage return. +Make sure pressing aborts the program. + +Test that entering no details does not result in an OK or ERR message. +Test that entering an invalid username and password results in an ERR message. +Note that if NT guest user access is allowed on the PDC, an OK message +may be returned instead of ERR. +Test that entering an valid username and password results in an OK message. +Test that entering a guest username and password returns the correct +response for the site's access policy. + + +=============== +Contact details +=============== + +To contact the maintainer of this package, e-mail on squidnt@acmeconsulting.it. + --- /dev/null Wed Feb 14 13:33:00 2007 +++ squid3/helpers/basic_auth/mswin_sspi/mswin_auth.c Wed Feb 14 13:35:26 2007 @@ -0,0 +1,188 @@ +/* + NT_auth - Version 2.0 + + Returns OK for a successful authentication, or ERR upon error. + + Guido Serassio, Torino - Italy + + Uses code from - + Antonino Iannella 2000 + Andrew Tridgell 1997 + Richard Sharpe 1996 + Bill Welliver 1999 + + * Distributed freely under the terms of the GNU General Public License, + * version 2. See the file COPYING for licensing details + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. +*/ + +#include "config.h" +#include +#include +#include "util.h" + +/* Check if we try to compile on a Windows Platform */ +#if defined(_SQUID_CYGWIN_) || defined(_SQUID_MSWIN_) + +#include "valid.h" + +static char NTGroup[256]; +char * NTAllowedGroup; +char * NTDisAllowedGroup; +int UseDisallowedGroup = 0; +int UseAllowedGroup = 0; +int debug_enabled = 0; + +/* + * options: + * -A can specify a Windows Local Group name allowed to authenticate. + * -D can specify a Windows Local Group name not allowed to authenticate. + * -O can specify the default Domain against to authenticate. + */ +char *my_program_name = NULL; + +void +usage() +{ + fprintf(stderr, + "%s usage:\n%s [-A|D UserGroup][-O DefaultDomain][-d]\n" + "-A can specify a Windows Local Group name allowed to authenticate\n" + "-D can specify a Windows Local Group name not allowed to authenticate\n" + "-O can specify the default Domain against to authenticate\n" + "-d enable debugging.\n" + "-h this message\n\n", + my_program_name, my_program_name); +} + +void +process_options(int argc, char *argv[]) +{ + int opt, had_error = 0; + while (-1 != (opt = getopt(argc, argv, "dhA:D:O:"))) { + switch (opt) { + case 'A': + safe_free(NTAllowedGroup); + NTAllowedGroup=xstrdup(optarg); + UseAllowedGroup = 1; + break; + case 'D': + safe_free(NTDisAllowedGroup); + NTDisAllowedGroup=xstrdup(optarg); + UseDisallowedGroup = 1; + break; + case 'O': + strncpy(Default_NTDomain, optarg, DNLEN); + break; + case 'd': + debug_enabled = 1; + break; + case 'h': + usage(argv[0]); + exit(0); + case '?': + opt = optopt; + /* fall thru to default */ + default: + fprintf(stderr, "Unknown option: -%c. Exiting\n", opt); + had_error = 1; + } + } + if (had_error) { + usage(); + exit(1); + } +} + +/* Main program for simple authentication. + Scans and checks for Squid input, and attempts to validate the user. +*/ + +int +main(int argc, char **argv) + +{ + char wstr[256]; + char username[256]; + char password[256]; + char *p; + int err = 0; + + my_program_name = argv[0]; + process_options(argc, argv); + + debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + + if (LoadSecurityDll(SSP_BASIC) == NULL) { + fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); + exit(1); + } + debug("SSPI initialized OK\n"); + + atexit(UnloadSecurityDll); + + /* initialize FDescs */ + setbuf(stdout, NULL); + setbuf(stderr, NULL); + + while (1) { + /* Read whole line from standard input. Terminate on break. */ + if (fgets(wstr, 255, stdin) == NULL) + break; + + if (NULL == strchr(wstr, '\n')) { + err = 1; + continue; + } + if (err) { + fprintf(stderr, "Oversized message\n"); + puts("ERR"); + goto error; + } + + if ((p = strchr(wstr, '\n')) != NULL) + *p = '\0'; /* strip \n */ + if ((p = strchr(wstr, '\r')) != NULL) + *p = '\0'; /* strip \r */ + /* Clear any current settings */ + username[0] = '\0'; + password[0] = '\0'; + sscanf(wstr, "%s %s", username, password); /* Extract parameters */ + + debug("Got %s from Squid\n", wstr); + + /* Check for invalid or blank entries */ + if ((username[0] == '\0') || (password[0] == '\0')) { + fprintf(stderr, "Invalid Request\n"); + puts("ERR"); + fflush(stdout); + continue; + } + rfc1738_unescape(username); + rfc1738_unescape(password); + + debug("Trying to validate; %s %s\n", username, password); + + if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR) + puts("OK"); + else + printf("ERR %s\n", errormsg); +error: + err = 0; + fflush(stdout); + } + return 0; +} + +#else /* NON Windows Platform !!! */ + +#error NON WINDOWS PLATFORM + +#endif --- /dev/null Wed Feb 14 13:33:00 2007 +++ squid3/helpers/basic_auth/mswin_sspi/valid.c Wed Feb 14 13:35:26 2007 @@ -0,0 +1,181 @@ +/* + NT_auth - Version 2.0 + + Modified to act as a Squid authenticator module. + Removed all Pike stuff. + Returns OK for a successful authentication, or ERR upon error. + + Guido Serassio, Torino - Italy + + Uses code from - + Antonino Iannella 2000 + Andrew Tridgell 1997 + Richard Sharpe 1996 + Bill Welliver 1999 + + * Distributed freely under the terms of the GNU General Public License, + * version 2. See the file COPYING for licensing details + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. +*/ + +#include "util.h" + +/* Check if we try to compile on a Windows Platform */ +#if defined(_SQUID_CYGWIN_) || defined(_SQUID_MSWIN_) + +#if defined(_SQUID_CYGWIN_) +#include +#endif +#include "valid.h" + +char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN; +const char * errormsg; + +const char NTV_SERVER_ERROR_MSG[] = "Internal server errror"; +const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache"; +const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password"; +const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/"; + +/* returns 1 on success, 0 on failure */ +int +Valid_Group(char *UserName, char *Group) +{ + int result = FALSE; + WCHAR wszUserName[256]; // Unicode user name + WCHAR wszGroup[256]; // Unicode Group + + LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; + LPLOCALGROUP_USERS_INFO_0 pTmpBuf; + DWORD dwLevel = 0; + DWORD dwFlags = LG_INCLUDE_INDIRECT; + DWORD dwPrefMaxLen = -1; + DWORD dwEntriesRead = 0; + DWORD dwTotalEntries = 0; + NET_API_STATUS nStatus; + DWORD i; + DWORD dwTotalCount = 0; + +/* Convert ANSI User Name and Group to Unicode */ + + MultiByteToWideChar(CP_ACP, 0, UserName, + strlen(UserName) + 1, wszUserName, + sizeof(wszUserName) / sizeof(wszUserName[0])); + MultiByteToWideChar(CP_ACP, 0, Group, + strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); + + /* + * Call the NetUserGetLocalGroups function + * specifying information level 0. + * + * The LG_INCLUDE_INDIRECT flag specifies that the + * function should also return the names of the local + * groups in which the user is indirectly a member. + */ + nStatus = NetUserGetLocalGroups(NULL, + wszUserName, + dwLevel, + dwFlags, + (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries); + /* + * If the call succeeds, + */ + if (nStatus == NERR_Success) { + if ((pTmpBuf = pBuf) != NULL) { + for (i = 0; i < dwEntriesRead; i++) { + if (pTmpBuf == NULL) { + result = FALSE; + break; + } + if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { + result = TRUE; + break; + } + pTmpBuf++; + dwTotalCount++; + } + } + } else + result = FALSE; +/* + * Free the allocated memory. + */ + if (pBuf != NULL) + NetApiBufferFree(pBuf); + return result; +} + +/* Valid_User return codes - + 0 - User authenticated successfully. + 1 - Server error. + 2 - Group membership error. + 3 - Logon error; Incorrect password or username given. +*/ + +int +Valid_User(char *UserName, char *Password, char *Group) +{ + int result = NTV_SERVER_ERROR; + size_t i; + char NTDomain[256]; + char *domain_qualify; + char DomainUser[256]; + char User[256]; + + errormsg = NTV_SERVER_ERROR_MSG; + strncpy(NTDomain, UserName, sizeof(NTDomain)); + + for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); i++) { + if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL) + break; + } + if (domain_qualify == NULL) { + strcpy(User, NTDomain); + strcpy(NTDomain, Default_NTDomain); + } else { + strcpy(User, domain_qualify + 1); + domain_qualify[0] = '\0'; + } + /* Log the client on to the local computer. */ + if (!SSP_LogonUser(User, Password, NTDomain)) { + result = NTV_LOGON_ERROR; + errormsg = NTV_LOGON_ERROR_MSG; + debug("%s\n", errormsg); + } else { + result = NTV_NO_ERROR; + if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0) + strcpy(DomainUser, User); + else { + strcpy(DomainUser, NTDomain); + strcat(DomainUser, "\\"); + strcat(DomainUser, User); + } + if (UseAllowedGroup) { + if (!Valid_Group(DomainUser, NTAllowedGroup)) { + result = NTV_GROUP_ERROR; + errormsg = NTV_GROUP_ERROR_MSG; + debug("%s\n", errormsg); + } + } + if (UseDisallowedGroup) { + if (Valid_Group(DomainUser, NTDisAllowedGroup)) { + result = NTV_GROUP_ERROR; + errormsg = NTV_GROUP_ERROR_MSG; + debug("%s\n", errormsg); + } + } + } + return result; +} +#else /* NON Windows Platform !!! */ + +#error NON WINDOWS PLATFORM + +#endif --- /dev/null Wed Feb 14 13:33:00 2007 +++ squid3/helpers/basic_auth/mswin_sspi/valid.h Wed Feb 14 13:35:26 2007 @@ -0,0 +1,107 @@ +/* + NT_auth - Version 2.0 + + Modified to act as a Squid authenticator module. + Returns OK for a successful authentication, or ERR upon error. + + Guido Serassio, Torino - Italy + + Uses code from - + Antonino Iannella 2000 + Andrew Tridgell 1997 + Richard Sharpe 1996 + Bill Welliver 1999 + + * Distributed freely under the terms of the GNU General Public License, + * version 2. See the file COPYING for licensing details + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. +*/ + +#ifndef _VALID_H_ +#define _VALID_H_ + +#ifdef _SQUID_CYGWIN_ +#include +#endif +#include +#include "sspwin32.h" +#undef debug + +/************* CONFIGURATION ***************/ +/* + * define this if you want debugging + */ +#ifndef DEBUG +#define DEBUG +#endif + +#define safe_free(x) if (x) { free(x); x = NULL; } + +/* SMB User verification function */ + +#define NTV_NO_ERROR 0 +#define NTV_SERVER_ERROR 1 +#define NTV_GROUP_ERROR 2 +#define NTV_LOGON_ERROR 3 + +#ifndef LOGON32_LOGON_NETWORK +#define LOGON32_LOGON_NETWORK 3 +#endif + +#define NTV_DEFAULT_DOMAIN "." + +extern char * NTAllowedGroup; +extern char * NTDisAllowedGroup; +extern int UseDisallowedGroup; +extern int UseAllowedGroup; +extern int debug_enabled; +extern char Default_NTDomain[DNLEN+1]; +extern const char * errormsg; + +#include + +/* Debugging stuff */ + +#ifdef __GNUC__ /* this is really a gcc-ism */ +#ifdef DEBUG +#include +#include +static char *__foo; +#define debug(X...) if (debug_enabled) { \ + fprintf(stderr,"nt_auth[%d](%s:%d): ", getpid(), \ + ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ + __LINE__);\ + fprintf(stderr,X); } +#else /* DEBUG */ +#define debug(X...) /* */ +#endif /* DEBUG */ +#else /* __GNUC__ */ +static void +debug(char *format,...) +{ +#ifdef DEBUG +#ifdef _SQUID_MSWIN_ + if (debug_enabled) { + va_list args; + + va_start(args,format); + fprintf(stderr, "nt_auth[%d]: ",getpid()); + vfprintf(stderr, format, args); + va_end(args); + } +#endif /* _SQUID_MSWIN_ */ +#endif /* DEBUG */ +} +#endif /* __GNUC__ */ + +int Valid_User(char *,char *, char *); + +#endif --- squid3/helpers/basic_auth/win32_locallogon/.cvsignore Wed Feb 14 13:35:26 2007 +++ /dev/null Wed Feb 14 13:33:00 2007 @@ -1,4 +0,0 @@ -.cvsignore -Makefile.in -Makefile -.deps --- squid3/helpers/basic_auth/win32_locallogon/Makefile.am Wed Feb 14 13:35:26 2007 +++ /dev/null Wed Feb 14 13:33:00 2007 @@ -1,19 +0,0 @@ -# -# Makefile for the Squid Object Cache server -# -# $Id: Makefile.am,v 1.2.18.3 2005/09/14 12:18:09 serassio Exp $ -# -# Uncomment and customize the following to suit your needs: -# - - -libexec_PROGRAMS = win32_auth - -win32_auth_SOURCES = NT_auth.c valid.c valid.h - -LDADD = -L$(top_builddir)/lib -lnetapi32 -ladvapi32 -lsspwin32 \ - -lmiscutil $(XTRA_LIBS) - -INCLUDES = -I$(top_builddir)/include -I$(top_srcdir)/include -I$(top_srcdir)/src - -EXTRA_DIST = README.txt --- squid3/helpers/basic_auth/win32_locallogon/NT_auth.c Wed Feb 14 13:35:26 2007 +++ /dev/null Wed Feb 14 13:33:00 2007 @@ -1,188 +0,0 @@ -/* - NT_auth - Version 2.0 - - Returns OK for a successful authentication, or ERR upon error. - - Guido Serassio, Torino - Italy - - Uses code from - - Antonino Iannella 2000 - Andrew Tridgell 1997 - Richard Sharpe 1996 - Bill Welliver 1999 - - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. -*/ - -#include "config.h" -#include -#include -#include "util.h" - -/* Check if we try to compile on a Windows Platform */ -#if defined(_SQUID_CYGWIN_) || defined(_SQUID_MSWIN_) - -#include "valid.h" - -static char NTGroup[256]; -char * NTAllowedGroup; -char * NTDisAllowedGroup; -int UseDisallowedGroup = 0; -int UseAllowedGroup = 0; -int debug_enabled = 0; - -/* - * options: - * -A can specify a Windows Local Group name allowed to authenticate. - * -D can specify a Windows Local Group name not allowed to authenticate. - * -O can specify the default Domain against to authenticate. - */ -char *my_program_name = NULL; - -void -usage() -{ - fprintf(stderr, - "%s usage:\n%s [-A|D UserGroup][-O DefaultDomain][-d]\n" - "-A can specify a Windows Local Group name allowed to authenticate\n" - "-D can specify a Windows Local Group name not allowed to authenticate\n" - "-O can specify the default Domain against to authenticate\n" - "-d enable debugging.\n" - "-h this message\n\n", - my_program_name, my_program_name); -} - -void -process_options(int argc, char *argv[]) -{ - int opt, had_error = 0; - while (-1 != (opt = getopt(argc, argv, "dhA:D:O:"))) { - switch (opt) { - case 'A': - safe_free(NTAllowedGroup); - NTAllowedGroup=xstrdup(optarg); - UseAllowedGroup = 1; - break; - case 'D': - safe_free(NTDisAllowedGroup); - NTDisAllowedGroup=xstrdup(optarg); - UseDisallowedGroup = 1; - break; - case 'O': - strncpy(Default_NTDomain, optarg, DNLEN); - break; - case 'd': - debug_enabled = 1; - break; - case 'h': - usage(argv[0]); - exit(0); - case '?': - opt = optopt; - /* fall thru to default */ - default: - fprintf(stderr, "Unknown option: -%c. Exiting\n", opt); - had_error = 1; - } - } - if (had_error) { - usage(); - exit(1); - } -} - -/* Main program for simple authentication. - Scans and checks for Squid input, and attempts to validate the user. -*/ - -int -main(int argc, char **argv) - -{ - char wstr[256]; - char username[256]; - char password[256]; - char *p; - int err = 0; - - my_program_name = argv[0]; - process_options(argc, argv); - - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); - - if (LoadSecurityDll(SSP_BASIC) == NULL) { - fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); - exit(1); - } - debug("SSPI initialized OK\n"); - - atexit(UnloadSecurityDll); - - /* initialize FDescs */ - setbuf(stdout, NULL); - setbuf(stderr, NULL); - - while (1) { - /* Read whole line from standard input. Terminate on break. */ - if (fgets(wstr, 255, stdin) == NULL) - break; - - if (NULL == strchr(wstr, '\n')) { - err = 1; - continue; - } - if (err) { - fprintf(stderr, "Oversized message\n"); - puts("ERR"); - goto error; - } - - if ((p = strchr(wstr, '\n')) != NULL) - *p = '\0'; /* strip \n */ - if ((p = strchr(wstr, '\r')) != NULL) - *p = '\0'; /* strip \r */ - /* Clear any current settings */ - username[0] = '\0'; - password[0] = '\0'; - sscanf(wstr, "%s %s", username, password); /* Extract parameters */ - - debug("Got %s from Squid\n", wstr); - - /* Check for invalid or blank entries */ - if ((username[0] == '\0') || (password[0] == '\0')) { - fprintf(stderr, "Invalid Request\n"); - puts("ERR"); - fflush(stdout); - continue; - } - rfc1738_unescape(username); - rfc1738_unescape(password); - - debug("Trying to validate; %s %s\n", username, password); - - if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR) - puts("OK"); - else - printf("ERR %s\n", errormsg); -error: - err = 0; - fflush(stdout); - } - return 0; -} - -#else /* NON Windows Platform !!! */ - -#error NON WINDOWS PLATFORM - -#endif --- squid3/helpers/basic_auth/win32_locallogon/README.txt Wed Feb 14 13:35:26 2007 +++ /dev/null Wed Feb 14 13:33:00 2007 @@ -1,101 +0,0 @@ -This is a simple authentication module for the Squid proxy server running on Windows NT -to authenticate users on an NT domain in native WIN32 mode. - -Usage is simple. It accepts a username and password on standard input -and will return OK if the username/password is valid for the domain/machine, -or ERR if there was some problem. -It's possible to authenticate against NT trusted domains specifyng the username -in the domain\\username Microsoft notation. - - -============== -Program Syntax -============== - -win32_auth [-A UserGroup][-D UserGroup][-O DefaultDomain][-d] - --A can specify a Windows Local Group name allowed to authenticate. --D can specify a Windows Local Group name not allowed to authenticate. --O can specify the default Domain against to authenticate. --d enable debugging. - -This is released under the GNU General Public License. - - -============== -Allowing Users -============== - -Users that are allowed to access the web proxy must have the Windows NT -User Rights "logon from the network" and must be included in the NT LOCAL User Groups -specified in the Authenticator's command line. -This can be accomplished creating a local user group on the NT machine, grant the privilege, -and adding users to it. - -Refer to Squid documentation for the required changes to squid.conf. - - -============ -Installation -============ - -Type 'make', then 'make install', then 'make clean'. - -On Cygwin the default is to install 'win32_auth' into /usr/local/squid/libexec, -with other Windows environments into c:/squid/libexec. - -Refer to Squid documentation for the required changes to squid.conf. -You will need to set the following line to enable the authenticator: - -auth_param basic program /usr/local/squid/libexec/win32_auth [options] - -or - -auth_param basic program c:/squid/libexec/win32_auth [options] - -You will need to set the following lines to enable authentication for -your access list - - - acl proxy_auth REQUIRED - http_access allow - -You will need to specify the absolute path to win32_auth in the -'auth_param basic program' directive, and check the 'auth_param basic children' -and 'auth_param basic credentialsttl'. - - -================== -Compilation issues -================== - -The Makefile assumes that GCC is in the current PATH. -win32_auth compile ONLY on Cygwin Environment, MinGW + MSYS Environment -or MS VC++. - - -======= -Testing -======= - -I strongly urge that win32_auth is tested prior to being used in a -production environment. It may behave differently on different platforms. -To test it, run it from the command line. Enter username and password -pairs separated by a space. Press ENTER to get an OK or ERR message. -Make sure pressing behaves the same as a carriage return. -Make sure pressing aborts the program. - -Test that entering no details does not result in an OK or ERR message. -Test that entering an invalid username and password results in an ERR message. -Note that if NT guest user access is allowed on the PDC, an OK message -may be returned instead of ERR. -Test that entering an valid username and password results in an OK message. -Test that entering a guest username and password returns the correct -response for the site's access policy. - - -=============== -Contact details -=============== - -To contact the maintainer of this package, e-mail on squidnt@acmeconsulting.it. - --- squid3/helpers/basic_auth/win32_locallogon/valid.c Wed Feb 14 13:35:26 2007 +++ /dev/null Wed Feb 14 13:33:00 2007 @@ -1,181 +0,0 @@ -/* - NT_auth - Version 2.0 - - Modified to act as a Squid authenticator module. - Removed all Pike stuff. - Returns OK for a successful authentication, or ERR upon error. - - Guido Serassio, Torino - Italy - - Uses code from - - Antonino Iannella 2000 - Andrew Tridgell 1997 - Richard Sharpe 1996 - Bill Welliver 1999 - - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. -*/ - -#include "util.h" - -/* Check if we try to compile on a Windows Platform */ -#if defined(_SQUID_CYGWIN_) || defined(_SQUID_MSWIN_) - -#if defined(_SQUID_CYGWIN_) -#include -#endif -#include "valid.h" - -char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN; -const char * errormsg; - -const char NTV_SERVER_ERROR_MSG[] = "Internal server errror"; -const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache"; -const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password"; -const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/"; - -/* returns 1 on success, 0 on failure */ -int -Valid_Group(char *UserName, char *Group) -{ - int result = FALSE; - WCHAR wszUserName[256]; // Unicode user name - WCHAR wszGroup[256]; // Unicode Group - - LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; - LPLOCALGROUP_USERS_INFO_0 pTmpBuf; - DWORD dwLevel = 0; - DWORD dwFlags = LG_INCLUDE_INDIRECT; - DWORD dwPrefMaxLen = -1; - DWORD dwEntriesRead = 0; - DWORD dwTotalEntries = 0; - NET_API_STATUS nStatus; - DWORD i; - DWORD dwTotalCount = 0; - -/* Convert ANSI User Name and Group to Unicode */ - - MultiByteToWideChar(CP_ACP, 0, UserName, - strlen(UserName) + 1, wszUserName, - sizeof(wszUserName) / sizeof(wszUserName[0])); - MultiByteToWideChar(CP_ACP, 0, Group, - strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); - - /* - * Call the NetUserGetLocalGroups function - * specifying information level 0. - * - * The LG_INCLUDE_INDIRECT flag specifies that the - * function should also return the names of the local - * groups in which the user is indirectly a member. - */ - nStatus = NetUserGetLocalGroups(NULL, - wszUserName, - dwLevel, - dwFlags, - (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries); - /* - * If the call succeeds, - */ - if (nStatus == NERR_Success) { - if ((pTmpBuf = pBuf) != NULL) { - for (i = 0; i < dwEntriesRead; i++) { - if (pTmpBuf == NULL) { - result = FALSE; - break; - } - if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { - result = TRUE; - break; - } - pTmpBuf++; - dwTotalCount++; - } - } - } else - result = FALSE; -/* - * Free the allocated memory. - */ - if (pBuf != NULL) - NetApiBufferFree(pBuf); - return result; -} - -/* Valid_User return codes - - 0 - User authenticated successfully. - 1 - Server error. - 2 - Group membership error. - 3 - Logon error; Incorrect password or username given. -*/ - -int -Valid_User(char *UserName, char *Password, char *Group) -{ - int result = NTV_SERVER_ERROR; - size_t i; - char NTDomain[256]; - char *domain_qualify; - char DomainUser[256]; - char User[256]; - - errormsg = NTV_SERVER_ERROR_MSG; - strncpy(NTDomain, UserName, sizeof(NTDomain)); - - for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); i++) { - if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL) - break; - } - if (domain_qualify == NULL) { - strcpy(User, NTDomain); - strcpy(NTDomain, Default_NTDomain); - } else { - strcpy(User, domain_qualify + 1); - domain_qualify[0] = '\0'; - } - /* Log the client on to the local computer. */ - if (!SSP_LogonUser(User, Password, NTDomain)) { - result = NTV_LOGON_ERROR; - errormsg = NTV_LOGON_ERROR_MSG; - debug("%s\n", errormsg); - } else { - result = NTV_NO_ERROR; - if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0) - strcpy(DomainUser, User); - else { - strcpy(DomainUser, NTDomain); - strcat(DomainUser, "\\"); - strcat(DomainUser, User); - } - if (UseAllowedGroup) { - if (!Valid_Group(DomainUser, NTAllowedGroup)) { - result = NTV_GROUP_ERROR; - errormsg = NTV_GROUP_ERROR_MSG; - debug("%s\n", errormsg); - } - } - if (UseDisallowedGroup) { - if (Valid_Group(DomainUser, NTDisAllowedGroup)) { - result = NTV_GROUP_ERROR; - errormsg = NTV_GROUP_ERROR_MSG; - debug("%s\n", errormsg); - } - } - } - return result; -} -#else /* NON Windows Platform !!! */ - -#error NON WINDOWS PLATFORM - -#endif --- squid3/helpers/basic_auth/win32_locallogon/valid.h Wed Feb 14 13:35:26 2007 +++ /dev/null Wed Feb 14 13:33:00 2007 @@ -1,107 +0,0 @@ -/* - NT_auth - Version 2.0 - - Modified to act as a Squid authenticator module. - Returns OK for a successful authentication, or ERR upon error. - - Guido Serassio, Torino - Italy - - Uses code from - - Antonino Iannella 2000 - Andrew Tridgell 1997 - Richard Sharpe 1996 - Bill Welliver 1999 - - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. -*/ - -#ifndef _VALID_H_ -#define _VALID_H_ - -#ifdef _SQUID_CYGWIN_ -#include -#endif -#include -#include "sspwin32.h" -#undef debug - -/************* CONFIGURATION ***************/ -/* - * define this if you want debugging - */ -#ifndef DEBUG -#define DEBUG -#endif - -#define safe_free(x) if (x) { free(x); x = NULL; } - -/* SMB User verification function */ - -#define NTV_NO_ERROR 0 -#define NTV_SERVER_ERROR 1 -#define NTV_GROUP_ERROR 2 -#define NTV_LOGON_ERROR 3 - -#ifndef LOGON32_LOGON_NETWORK -#define LOGON32_LOGON_NETWORK 3 -#endif - -#define NTV_DEFAULT_DOMAIN "." - -extern char * NTAllowedGroup; -extern char * NTDisAllowedGroup; -extern int UseDisallowedGroup; -extern int UseAllowedGroup; -extern int debug_enabled; -extern char Default_NTDomain[DNLEN+1]; -extern const char * errormsg; - -#include - -/* Debugging stuff */ - -#ifdef __GNUC__ /* this is really a gcc-ism */ -#ifdef DEBUG -#include -#include -static char *__foo; -#define debug(X...) if (debug_enabled) { \ - fprintf(stderr,"nt_auth[%d](%s:%d): ", getpid(), \ - ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ - __LINE__);\ - fprintf(stderr,X); } -#else /* DEBUG */ -#define debug(X...) /* */ -#endif /* DEBUG */ -#else /* __GNUC__ */ -static void -debug(char *format,...) -{ -#ifdef DEBUG -#ifdef _SQUID_MSWIN_ - if (debug_enabled) { - va_list args; - - va_start(args,format); - fprintf(stderr, "nt_auth[%d]: ",getpid()); - vfprintf(stderr, format, args); - va_end(args); - } -#endif /* _SQUID_MSWIN_ */ -#endif /* DEBUG */ -} -#endif /* __GNUC__ */ - -int Valid_User(char *,char *, char *); - -#endif