]>
Commit | Line | Data |
---|---|---|
aca1cada AJ |
1 | .if !'po4a'hide' .TH negotiate_kerberos_auth 8 |
2 | . | |
3 | .SH NAME | |
4 | .if !'po4a'hide' .B negotiate_kerberos_auth | |
5 | .if !'po4a'hide' \- | |
6 | Squid kerberos based authentication helper | |
7 | .PP | |
08885c7f | 8 | Version 3.0.4sq |
aca1cada AJ |
9 | . |
10 | .SH SYNOPSIS | |
11 | .if !'po4a'hide' .B negotiate_kerberos_auth | |
12 | .if !'po4a'hide' .B [\-h] [\-d] [\-i] [\-r] [\-s Service-Principal-Name] | |
13 | . | |
14 | .SH DESCRIPTION | |
15 | .B negotiate_kerberos_auth | |
16 | is an installed binary and allows Squid to authenticate users via the Negotiate | |
17 | protocol and Kerberos. | |
18 | ||
19 | .SH OPTIONS | |
20 | .if !'po4a'hide' .TP 12 | |
21 | .if !'po4a'hide' .B \-h | |
22 | Display the binary help and command line syntax info using stderr. | |
23 | .if !'po4a'hide' .TP 12 | |
24 | .if !'po4a'hide' .B \-d | |
25 | Write debug messages to stderr. | |
26 | .if !'po4a'hide' .TP 12 | |
27 | .if !'po4a'hide' .B \-i | |
28 | Write informational messages to stderr. | |
29 | .if !'po4a'hide' .TP 12 | |
30 | .if !'po4a'hide' .B \-r | |
31 | Remove realm from username before returning the username to squid. | |
32 | .if !'po4a'hide' .TP 12 | |
33 | .if !'po4a'hide' .B \-s Service-Principal-name | |
34 | Provide Service Principal Name. | |
35 | . | |
36 | .SH CONFIGURATION | |
e1b65506 | 37 | .PP |
aca1cada | 38 | This helper is intended to be used as an |
08885c7f | 39 | .B authentication |
aca1cada AJ |
40 | helper in |
41 | .B squid.conf. | |
42 | .if !'po4a'hide' .P | |
43 | .if !'po4a'hide' .ft CR | |
44 | .if !'po4a'hide' .nf | |
45 | .if !'po4a'hide' auth_param negotiate program /path/to/negotiate_kerberos_auth | |
46 | .if !'po4a'hide' .br | |
47 | .if !'po4a'hide' auth_param negotiate children 10 | |
48 | .if !'po4a'hide' .br | |
49 | .if !'po4a'hide' auth_param negotiate keep_alive on | |
50 | .if !'po4a'hide' .fi | |
51 | .if !'po4a'hide' .ft | |
52 | .PP | |
53 | .B NOTE: | |
54 | The following squid startup file modification may be required: | |
55 | ||
56 | Add the following lines to the squid startup script to point squid to a keytab file which | |
57 | contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be | |
58 | the proxy name set in IE or firefox. You can not use an IP address. | |
59 | ||
60 | KRB5_KTNAME=/etc/squid/HTTP.keytab | |
61 | export KRB5_KTNAME | |
62 | ||
63 | If you use a different Kerberos domain than the machine itself is in you can point squid to | |
64 | the seperate Kerberos config file by setting the following environmnet variable in the startup | |
65 | script. | |
66 | ||
67 | KRB5_CONFIG=/etc/krb5-squid.conf | |
68 | export KRB5_CONFIG | |
69 | ||
70 | Kerberos can keep a replay cache to detect the reuse of Kerberos tickets (usually only possible | |
71 | in a 5 minute window) . If squid is under high load with Negotiate(Kerberos) proxy authentication | |
72 | requests the replay cache checks can create high CPU load. If the environment does not require | |
73 | high security the replay cache check can be disabled for MIT based Kerberos implementations by | |
74 | adding the following to the startup script | |
75 | ||
76 | KRB5RCACHETYPE=none | |
77 | export KRB5RCACHETYPE | |
78 | ||
79 | If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide | |
80 | it with -s HTTP/fqdn. | |
81 | ||
82 | If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the | |
83 | HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth. | |
84 | ||
85 | . | |
86 | .SH AUTHOR | |
87 | This program was written by | |
88 | .if !'po4a'hide' .I Markus Moeller <markus_moeller@compuserve.com> | |
89 | .PP | |
90 | This manual was written by | |
91 | .if !'po4a'hide' .I Markus Moeller <markus_moeller@compuserve.com> | |
92 | . | |
93 | .SH COPYRIGHT | |
ca02e0ec AJ |
94 | .PP |
95 | * Copyright (C) 1996-2014 The Squid Software Foundation and contributors | |
96 | * | |
97 | * Squid software is distributed under GPLv2+ license and includes | |
98 | * contributions from numerous individuals and organizations. | |
99 | * Please see the COPYING and CONTRIBUTORS files for details. | |
100 | .PP | |
aca1cada AJ |
101 | This program and documentation is copyright to the authors named above. |
102 | .PP | |
103 | Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). | |
104 | . | |
105 | .SH QUESTIONS | |
106 | Questions on the usage of this program can be sent to the | |
107 | .I Squid Users mailing list | |
108 | .if !'po4a'hide' <squid-users@squid-cache.org> | |
109 | . | |
110 | .SH REPORTING BUGS | |
111 | Bug reports need to be made in English. | |
112 | See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. | |
113 | .PP | |
114 | Report bugs or bug fixes using http://bugs.squid-cache.org/ | |
115 | .PP | |
116 | Report serious security bugs to | |
117 | .I Squid Bugs <squid-bugs@squid-cache.org> | |
118 | .PP | |
119 | Report ideas for new improvements to the | |
120 | .I Squid Developers mailing list | |
121 | .if !'po4a'hide' <squid-dev@squid-cache.org> | |
122 | . | |
123 | .SH SEE ALSO | |
124 | .if !'po4a'hide' .BR squid "(8) " | |
125 | .if !'po4a'hide' .BR ext_kerberos_ldap_group_acl "(8) " | |
126 | .br | |
127 | .BR RFC4559 " - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows," | |
128 | .br | |
129 | .BR RFC2478 " - The Simple and Protected GSS-API Negotiation Mechanism," | |
130 | .br | |
131 | .BR RFC1964 " - The Kerberos Version 5 GSS-API Mechanism," | |
132 | .br | |
133 | The Squid FAQ wiki | |
134 | .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq | |
135 | .br | |
136 | The Squid Configuration Manual | |
137 | .if !'po4a'hide' http://www.squid-cache.org/Doc/config/ | |
138 | .if !'po4a'hide' http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos |