From: hno <> Date: Sat, 30 Mar 2002 23:42:57 +0000 (+0000) Subject: SASL auth helper by Ian Castle X-Git-Tag: SQUID_3_0_PRE1~1158 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e2c57a0431489369bd9869aff83772eee1c0ef9;p=thirdparty%2Fsquid.git SASL auth helper by Ian Castle --- diff --git a/ChangeLog b/ChangeLog index a62589f89b..0a657c332d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,7 @@ Changes to squid-2.5 (): - Added 'max-conn' option to 'cache_peer' - Added SSL gatewaying support, allowing Squid to act as a SSL server in accelerator setups. + - SASL authentication helper by Ian Castle - Countless other small things and fixes Changes to Squid-2.4.STABLE6 (March 19, 2002): diff --git a/configure.in b/configure.in index 4b26501bc0..9734196d9b 100644 --- a/configure.in +++ b/configure.in @@ -3,7 +3,7 @@ dnl Configuration input file for Squid dnl dnl Duane Wessels, wessels@nlanr.net, February 1996 (autoconf v2.9) dnl -dnl $Id: configure.in,v 1.257 2002/01/28 17:49:24 hno Exp $ +dnl $Id: configure.in,v 1.258 2002/03/30 16:42:57 hno Exp $ dnl dnl dnl @@ -11,7 +11,7 @@ AC_INIT(src/main.c) AC_CONFIG_AUX_DIR(cfgaux) AM_INIT_AUTOMAKE(squid, 2.6-DEVEL) AM_CONFIG_HEADER(include/autoconf.h) -AC_REVISION($Revision: 1.257 $)dnl +AC_REVISION($Revision: 1.258 $)dnl AC_PREFIX_DEFAULT(/usr/local/squid) AM_MAINTAINER_MODE @@ -2160,6 +2160,7 @@ AC_OUTPUT([\ src/auth/basic/helpers/YP/Makefile \ src/auth/basic/helpers/getpwnam/Makefile \ src/auth/basic/helpers/multi-domain-NTLM/Makefile \ + src/auth/basic/helpers/SASL/Makefile \ src/auth/digest/Makefile \ src/auth/digest/helpers/Makefile \ src/auth/digest/helpers/password/Makefile \ diff --git a/helpers/basic_auth/Makefile.am b/helpers/basic_auth/Makefile.am index 241b322a30..7281915357 100644 --- a/helpers/basic_auth/Makefile.am +++ b/helpers/basic_auth/Makefile.am @@ -1,7 +1,7 @@ # Makefile for storage modules in the Squid Object Cache server # -# $Id: Makefile.am,v 1.1 2001/08/31 11:19:14 robertc Exp $ +# $Id: Makefile.am,v 1.2 2002/03/30 16:42:58 hno Exp $ # -DIST_SUBDIRS = getpwnam LDAP MSNT multi-domain-NTLM NCSA PAM SMB YP +DIST_SUBDIRS = getpwnam LDAP MSNT multi-domain-NTLM NCSA PAM SMB YP SASL SUBDIRS = @BASIC_AUTH_HELPERS@ diff --git a/helpers/basic_auth/SASL/Makefile.am b/helpers/basic_auth/SASL/Makefile.am new file mode 100644 index 0000000000..22326ca598 --- /dev/null +++ b/helpers/basic_auth/SASL/Makefile.am @@ -0,0 +1,13 @@ +# +# Makefile for the Squid SASL authentication helper +# +# $Id: Makefile.am,v 1.1 2002/03/30 16:42:58 hno Exp $ +# +# Uncomment and customize the following to suit your needs: +# + +INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ + -I$(top_srcdir)/src/ + +libexec_PROGRAMS = sasl_auth +LDADD = -lsasl $(XTRA_LIBS) diff --git a/helpers/basic_auth/SASL/README b/helpers/basic_auth/SASL/README new file mode 100644 index 0000000000..286bda4776 --- /dev/null +++ b/helpers/basic_auth/SASL/README @@ -0,0 +1,49 @@ +This program authenticates users using SASL (specifically the +cyrus-sasl authentication method). + +SASL is configurable (somewhat like PAM). Each service authenticating +against SASL identifies itself with an application name. Each +"application" can be configured independently by the SASL administrator. + +For this authenticator, the SASL application name is, by default, + + squid_sasl_auth + +To configure the authentication method used the file "squid_sasl_auth.conf" +can be placed in the appropriate location, usually "/usr/lib/sasl". + +The authentication database is defined by the "pwcheck_method" parameter. +Only the "PLAIN" authentication mechanism is used. + +Examples: + +pwcheck_method:sasldb + use sasldb - the default if no conf file is installed. +pwcheck_method:pam + use PAM +pwcheck_method:passwd + use traditional /etc/passwd +pwcheck_method:shadow + use slightly less traditional /etc/shadow + +Others methods may be supported by your cyrus-sasl implementation - +consult your cyrus-sasl documentation for information. + +Typically the authentication database (/etc/sasldb, /etc/shadow, pam) +can not be accessed by a "normal" user. You should use setuid/setgid +and an appropriate user/group on the executable to allow the +authenticator to access the appropriate password database. If the +access to the database is not permitted then the authenticator +will typically fail with "-1, generic error". + + chown root.mail sasl_auth + chmod ug+s sasl_auth + +If the application name ("squid_sasl_auth") will also be used for the +pam service name if pwcheck_method:pam is chosen. And example pam +configuration file "squid_sasl_auth" is also included. + + +Ian Castle +ian.castle@coldcomfortfarm.net +March 2002 diff --git a/helpers/basic_auth/SASL/sasl_auth.c b/helpers/basic_auth/SASL/sasl_auth.c new file mode 100644 index 0000000000..0f3e4be39f --- /dev/null +++ b/helpers/basic_auth/SASL/sasl_auth.c @@ -0,0 +1,100 @@ +/* + * $Id: sasl_auth.c,v 1.1 2002/03/30 16:42:59 hno Exp $ + * + * SASL authenticator module for Squid. + * Copyright (C) 2002 Ian Castle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * Install instructions: + * + * This program authenticates users against using cyrus-sasl + * + * Compile this program with: gcc -Wall -o sasl_auth sasl_auth.c -lsasl + * + */ +#include +#include +#include +#include +#include + +#define APP_NAME_SASL "squid_sasl_auth" + +int +main() +{ + char line[8192]; + char *username, *password; + const char *errstr; + + int rc; + sasl_conn_t *conn = NULL; + + rc = sasl_server_init( NULL, APP_NAME_SASL ); + + if ( rc != SASL_OK ) { + fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL )); + fprintf( stdout, "ERR\n" ); + return 1; + } + + rc = sasl_server_new( APP_NAME_SASL, NULL, NULL, NULL, 0, &conn ); + + if ( rc != SASL_OK ) { + fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL )); + fprintf( stdout, "ERR\n" ); + return 1; + } + + while ( fgets( line, sizeof( line ), stdin )) { + username = &line[0]; + password = strchr( line, '\n' ); + if ( !password) { + fprintf( stderr, "authenticator: Unexpected input '%s'\n", line ); + fprintf( stdout, "ERR\n" ); + continue; + } + *password = '\0'; + password = strchr ( line, ' ' ); + if ( !password) { + fprintf( stderr, "authenticator: Unexpected input '%s'\n", line ); + fprintf( stdout, "ERR\n" ); + continue; + } + *password++ = '\0'; + + rc = sasl_checkpass(conn, username, strlen(username), password, strlen(password), &errstr); + + if ( rc != SASL_OK ) { + if ( errstr ) { + fprintf( stderr, "errstr %s\n", errstr ); + } + if ( rc != SASL_BADAUTH ) { + fprintf( stderr, "error %d %s\n", rc, sasl_errstring(rc, NULL, NULL )); + } + fprintf( stdout, "ERR\n" ); + } + else { + fprintf( stdout, "OK\n" ); + } + + } + + sasl_dispose( &conn ); + sasl_done(); + + return 0; +} diff --git a/helpers/basic_auth/SASL/squid_sasl_auth.conf b/helpers/basic_auth/SASL/squid_sasl_auth.conf new file mode 100644 index 0000000000..3b98c4f4f3 --- /dev/null +++ b/helpers/basic_auth/SASL/squid_sasl_auth.conf @@ -0,0 +1 @@ +pwcheck_method:sasldb