]>
Commit | Line | Data |
---|---|---|
aca1cada AJ |
1 | .if !'po4a'hide' .TH negotiate_kerberos_auth 8 |
2 | . | |
3 | .SH NAME | |
4 | .if !'po4a'hide' .B negotiate_kerberos_auth | |
5 | .if !'po4a'hide' \- | |
6 | Squid kerberos based authentication helper | |
7 | .PP | |
08885c7f | 8 | Version 3.0.4sq |
aca1cada AJ |
9 | . |
10 | .SH SYNOPSIS | |
11 | .if !'po4a'hide' .B negotiate_kerberos_auth | |
12 | .if !'po4a'hide' .B [\-h] [\-d] [\-i] [\-r] [\-s Service-Principal-Name] | |
13 | . | |
14 | .SH DESCRIPTION | |
15 | .B negotiate_kerberos_auth | |
16 | is an installed binary and allows Squid to authenticate users via the Negotiate | |
17 | protocol and Kerberos. | |
18 | ||
19 | .SH OPTIONS | |
20 | .if !'po4a'hide' .TP 12 | |
21 | .if !'po4a'hide' .B \-h | |
22 | Display the binary help and command line syntax info using stderr. | |
23 | .if !'po4a'hide' .TP 12 | |
24 | .if !'po4a'hide' .B \-d | |
25 | Write debug messages to stderr. | |
26 | .if !'po4a'hide' .TP 12 | |
27 | .if !'po4a'hide' .B \-i | |
28 | Write informational messages to stderr. | |
29 | .if !'po4a'hide' .TP 12 | |
30 | .if !'po4a'hide' .B \-r | |
31 | Remove realm from username before returning the username to squid. | |
32 | .if !'po4a'hide' .TP 12 | |
33 | .if !'po4a'hide' .B \-s Service-Principal-name | |
34 | Provide Service Principal Name. | |
35 | . | |
36 | .SH CONFIGURATION | |
37 | .PP See FAQ wiki page for examples of how to write configuration snippets. (TBD) | |
38 | .PP | |
39 | This helper is intended to be used as an | |
08885c7f | 40 | .B authentication |
aca1cada AJ |
41 | helper in |
42 | .B squid.conf. | |
43 | .if !'po4a'hide' .P | |
44 | .if !'po4a'hide' .ft CR | |
45 | .if !'po4a'hide' .nf | |
46 | .if !'po4a'hide' auth_param negotiate program /path/to/negotiate_kerberos_auth | |
47 | .if !'po4a'hide' .br | |
48 | .if !'po4a'hide' auth_param negotiate children 10 | |
49 | .if !'po4a'hide' .br | |
50 | .if !'po4a'hide' auth_param negotiate keep_alive on | |
51 | .if !'po4a'hide' .fi | |
52 | .if !'po4a'hide' .ft | |
53 | .PP | |
54 | .B NOTE: | |
55 | The following squid startup file modification may be required: | |
56 | ||
57 | Add the following lines to the squid startup script to point squid to a keytab file which | |
58 | contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be | |
59 | the proxy name set in IE or firefox. You can not use an IP address. | |
60 | ||
61 | KRB5_KTNAME=/etc/squid/HTTP.keytab | |
62 | export KRB5_KTNAME | |
63 | ||
64 | If you use a different Kerberos domain than the machine itself is in you can point squid to | |
65 | the seperate Kerberos config file by setting the following environmnet variable in the startup | |
66 | script. | |
67 | ||
68 | KRB5_CONFIG=/etc/krb5-squid.conf | |
69 | export KRB5_CONFIG | |
70 | ||
71 | Kerberos can keep a replay cache to detect the reuse of Kerberos tickets (usually only possible | |
72 | in a 5 minute window) . If squid is under high load with Negotiate(Kerberos) proxy authentication | |
73 | requests the replay cache checks can create high CPU load. If the environment does not require | |
74 | high security the replay cache check can be disabled for MIT based Kerberos implementations by | |
75 | adding the following to the startup script | |
76 | ||
77 | KRB5RCACHETYPE=none | |
78 | export KRB5RCACHETYPE | |
79 | ||
80 | If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide | |
81 | it with -s HTTP/fqdn. | |
82 | ||
83 | If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the | |
84 | HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth. | |
85 | ||
86 | . | |
87 | .SH AUTHOR | |
88 | This program was written by | |
89 | .if !'po4a'hide' .I Markus Moeller <markus_moeller@compuserve.com> | |
90 | .PP | |
91 | This manual was written by | |
92 | .if !'po4a'hide' .I Markus Moeller <markus_moeller@compuserve.com> | |
93 | . | |
94 | .SH COPYRIGHT | |
95 | This program and documentation is copyright to the authors named above. | |
96 | .PP | |
97 | Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). | |
98 | . | |
99 | .SH QUESTIONS | |
100 | Questions on the usage of this program can be sent to the | |
101 | .I Squid Users mailing list | |
102 | .if !'po4a'hide' <squid-users@squid-cache.org> | |
103 | . | |
104 | .SH REPORTING BUGS | |
105 | Bug reports need to be made in English. | |
106 | See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. | |
107 | .PP | |
108 | Report bugs or bug fixes using http://bugs.squid-cache.org/ | |
109 | .PP | |
110 | Report serious security bugs to | |
111 | .I Squid Bugs <squid-bugs@squid-cache.org> | |
112 | .PP | |
113 | Report ideas for new improvements to the | |
114 | .I Squid Developers mailing list | |
115 | .if !'po4a'hide' <squid-dev@squid-cache.org> | |
116 | . | |
117 | .SH SEE ALSO | |
118 | .if !'po4a'hide' .BR squid "(8) " | |
119 | .if !'po4a'hide' .BR ext_kerberos_ldap_group_acl "(8) " | |
120 | .br | |
121 | .BR RFC4559 " - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows," | |
122 | .br | |
123 | .BR RFC2478 " - The Simple and Protected GSS-API Negotiation Mechanism," | |
124 | .br | |
125 | .BR RFC1964 " - The Kerberos Version 5 GSS-API Mechanism," | |
126 | .br | |
127 | The Squid FAQ wiki | |
128 | .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq | |
129 | .br | |
130 | The Squid Configuration Manual | |
131 | .if !'po4a'hide' http://www.squid-cache.org/Doc/config/ | |
132 | .if !'po4a'hide' http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos |