From: hno <> Date: Fri, 12 Apr 2002 01:14:47 +0000 (+0000) Subject: Updated Basic MSNT auth helper (msntauth) to v2.0.3 from the authors X-Git-Tag: SQUID_3_0_PRE1~1100 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d73604c36de0872d69ac4f11b6136068f55656c;p=thirdparty%2Fsquid.git Updated Basic MSNT auth helper (msntauth) to v2.0.3 from the authors web page --- diff --git a/helpers/basic_auth/MSNT/README.html b/helpers/basic_auth/MSNT/README.html index 6ac18ed3cc..28a70e0edb 100644 --- a/helpers/basic_auth/MSNT/README.html +++ b/helpers/basic_auth/MSNT/README.html @@ -6,14 +6,14 @@

-MSNT Auth v2.0.1
-Squid web proxy Authentication module
+MSNT Auth v2.0.3
+Squid web proxy NT authentication module
Antonino Iannella, Stellar-X Pty Ltd
-Fri Sep 29 15:53:33 CST 2000 +Sun Sep 2 15:01:58 CST 2001

Contents

@@ -21,7 +21,7 @@ Fri Sep 29 15:53:33 CST 2000

Introduction

@@ -45,20 +44,37 @@ and Richard Sharpe. This version is sourced from the Pike authentication module by William Welliver (hwellive@intersil.com).

-Usage is simple. It accepts a username and password on standard input -and will return OK if the username/password is valid for the domain, +Usage is simple. It accepts a username and password on standard input. +It will return OK if the username/password is valid for the domain, or ERR if there was some problem. Check syslog messages for reported problems.

Msntauth is released under the GNU General Public License and -is available from http://stellarx.tripod.com. +is available from +http://www.tripod.com/stellarx. +It also ships with the Squid web proxy, +http://www.squid-proxy.org. + +

+Msntauth has not been tested with Windows 2000 domains yet.

Installation

Make any changes to the source code you need. +

+If you are using the source provided with Squid, then Msntauth +will be compiled when you compile Squid. Refer to Squid documentation +for details. + +

+If you have downloaded Msntauth from the Stellar-X website, then +copy Makefile.MSNT to Makefile. +Review the Makefile, and modify based on target platform or +site requirements. +

Type 'make', then 'make install', then 'make clean'. @@ -73,17 +89,16 @@ To avoid using the makefile, it may compile with

Hopefully nobody has problems compiling msntauth. -In the future I plan to use GNU automake. -

Other compiling issues

+

Issues when compiling

The Makefile uses the GCC compiler, and assumes that it is in the current PATH. Msntauth is known to compile properly on Redhat Linux 6, and FreeBSD 3.1 without problems. Other operating systems are untested, but use a recent copy of the GNU C compiler. -Smbencrypt.c has the '#include ' line commented out. -Remove the comment for S5R4 systems, like Solaris. +In Smbencrypt.c, '#include ' only gets included when +compiled with Solaris.

When compiling under Solaris, the socket libraries must be linked to. @@ -91,12 +106,19 @@ In the Makefile, hash the default CFLAGS line, and unhash the Solaris CFLAGS line. It always helps to have /usr/ccs/bin in your path prior to compiling. +

+For Digital Unix/Tru64, review the INSTALL line in the makefile. +

Configuration file

-Msntauth uses a configuration file which is a break from previous -releases. The file is /usr/local/squid/etc/msntauth.conf. -If this needs to be changed, it is defined in confload.h. +Msntauth uses a configuration file as of version 2. +The file is /usr/local/squid/etc/msntauth.conf. +If this path needs to be changed, it is defined in confload.c - + +

+  #define CONFIGFILE   "/usr/local/squid/etc/msntauth.conf"
+

An example configuration file is provided. It looks like @@ -119,10 +141,14 @@ All comments start with '#'.

NT servers are used to query user accounts. The 'server' lines are used for this, with the PDC, BDC, and NT domain as parameters. -Up to 5 servers/domains can be queried. If this is not enough -modify the MAXSERVERS define in confload.h. +Up to 5 servers/domains can be queried. If this is not enough, +modify the MAXSERVERS define in confload.c. At least one server must be specified, or msntauth will not run. +Server names must be resolvable by the system. If not, msntauth +reports an error. If you can't ping it, you might have a host +resolution problem. +You can't use NetBIOS hostnames, nor IP addresses.

When a user provides a username/password, each of these @@ -204,11 +230,16 @@ your access list - http_access allow password http_access allow http_access deny all -

-You will also need to review the following directives - +You will also need to review the following directives. The number of +msntauth children spawned is set with authenticate_children. +The number of children needed is site-dependent, so some +experimentation may be required to find the best number. +There should be no visible delay in performance with Squid once +msntauth is in use. As an example, a firm with 1500 users and a T1 +internet connection required a value of 30.- 

   proxy_auth_realm enterprise web gateway
@@ -245,12 +276,23 @@ It should behave in the following way -
 If the above didn't work as expected, you may need to modify the main()
 function in msntauth.c. Inform the maintainer of any problems.
 
+

+Usernames cannot have whitespace in them, but passwords can.
+
+

+As of version 2.0.3, the msntauth version can be found in the executable.
+Type this to retrieve it -
+
+
+  strings msntauth | grep -i msntauth
+

+
 
Contact details

 
 

 To contact the maintainer of this package, email Antonino Iannella
-at antonino@usa.net, antonino.iannella@usa.net, or
-antonino.iannella@camtech.com.au.
+at antonino@rager.com.au, or antonino.iannella@santos.com.au, or ring
++61 8408 800 007.
 
 

 The latest version may be found on http://members.tripod.com/stellarx.
@@ -275,23 +317,10 @@ Apply the provided patch before compiling, using
   patch smblib.c < smblib.c.patch
-

Known limitation

- -

-Usernames are checked if they are allowed or denied. If a username -is found as a substring of a different username in these files, -the user will be affected somehow. For example, if 'jpeterman' has -been explicitly denied in the denyusers file, then 'jpeter' who -is trying to use the proxy, will be denied. If this causes anyone -any problems, then I'll fix it. - -

-As of version 2.0.1, this problem has been fixed. - -

Changes since last revision

+

Revision history

-The following list of changes have been made to improve msntauth. +The following sequence of changes have been made to improve msntauth. I have not had a chance to do too much testing due to lack of resources. There should be no problems, though. @@ -305,12 +334,21 @@ to lack of resources. There should be no problems, though.

  • Added the use of a configuration file, instead of hard-coding NT server details
  • Allowed for querying multiple NT servers and domains (this was a hot issue)
  • Changed README into an HTML document to improve readability -
  • Didn't make use of GNU autoconf. I will in future, I promise. -
  • Removed denied/allowed username substring search limitation. +
  • Removed denied/allowed username substring search limitation +
  • Fixed a bug which occurred when reading denied/allowed usernames +
  • Allows whitespace in passwords +
  • To check user list changes, doesn't use an alarm every minute. +
  • Fixed a sigaction compilation error, causing problems on FreeBSD and HPUX +
  • Removed a problem of finding a valid username as a substring in the denied user list. +
  • Support email address change from antonino@usa.net to antonino@rager.com.au. +
  • Msntauth was successfully tested on Tru64. +
  • PDC and BDC hostnames are now checked if they are resolvable. +
  • Smbencrypt.c does not have to be checked for Solaris systems any more. +
  • Imbedded version information in the executable.

    -Hopefully msntauth and Squid is now a more valuable product. +Hopefully msntauth and Squid prove to be a valuable auditing combination. Feel free to send me success or problem stories. diff --git a/helpers/basic_auth/MSNT/allowusers.c b/helpers/basic_auth/MSNT/allowusers.c index 42ebfe3f9c..84d8bf835b 100644 --- a/helpers/basic_auth/MSNT/allowusers.c +++ b/helpers/basic_auth/MSNT/allowusers.c @@ -123,6 +123,7 @@ int Check_ifuserallowed(char *ConnectingUser) { static char CUBuf[NAMELEN + 1]; + static char CUBuf1[NAMELEN + 1]; static int x; static char AllowMsg[256]; @@ -139,8 +140,8 @@ Check_ifuserallowed(char *ConnectingUser) * If so, allow. If not, deny. Reconstruct the username * to have whitespace, to avoid finding wrong string subsets. */ - sscanf(ConnectingUser, " %s ", CUBuf); - sprintf(CUBuf, " %s ", CUBuf); + sscanf(ConnectingUser, " %s ", CUBuf1); + sprintf(CUBuf, " %s ", CUBuf1); for (x = 0; x <= strlen(CUBuf); x++) CUBuf[x] = toupper(CUBuf[x]); @@ -148,7 +149,7 @@ Check_ifuserallowed(char *ConnectingUser) if (strstr(AllowedUsers, CUBuf) != NULL) return 1; else { /* If NULL, they are not allowed to use the proxy */ - sprintf(AllowMsg, "Denied access to user '%s'.", CUBuf); + sprintf(AllowMsg, "Did not allow access to user '%s'.", CUBuf1); syslog(LOG_USER | LOG_ERR, AllowMsg); return 0; } diff --git a/helpers/basic_auth/MSNT/confload.c b/helpers/basic_auth/MSNT/confload.c index 89018af5e5..725ac84594 100644 --- a/helpers/basic_auth/MSNT/confload.c +++ b/helpers/basic_auth/MSNT/confload.c @@ -16,6 +16,7 @@ #include #include #include +#include #define CONFIGFILE "/usr/local/squid/etc/msntauth.conf" /* Path to configuration file */ #define DENYUSERSDEFAULT "/usr/local/squid/etc/denyusers" @@ -154,6 +155,7 @@ ProcessLine(char *Linebuf) /* * Adds a server to query to the server array. + * Checks if the server IP is resolvable. * Checks if the number of servers to query is not exceeded. * Does not allow parameters longer than NTHOSTLEN. */ @@ -161,8 +163,18 @@ ProcessLine(char *Linebuf) void AddServer(char *ParamPDC, char *ParamBDC, char *ParamDomain) { + struct hostent *hstruct; + if (Serversqueried + 1 > MAXSERVERS) { - syslog(LOG_USER | LOG_ERR, "ProcessLine: Ignoring '%s' server line; too many servers.", ParamPDC); + syslog(LOG_USER | LOG_ERR, "AddServer: Ignoring '%s' server line; too many servers.", ParamPDC); + return; + } + if (gethostbyname(ParamPDC) == (struct hostent *) NULL) { + syslog(LOG_USER | LOG_ERR, "AddServer: Ignoring host '%s'. Cannot resolve its address.", ParamPDC); + return; + } + if (gethostbyname(ParamBDC) == (struct hostent *) NULL) { + syslog(LOG_USER | LOG_ERR, "AddServer: Ignoring host '%s'. Cannot resolve its address.", ParamBDC); return; } Serversqueried++; @@ -202,6 +214,11 @@ QueryServers(char *username, char *password) * Returns 0 on success, non-zero on failure. */ +/* Define for systems which don't support it, like Solaris */ +#ifndef LOG_AUTHPRIV +#define LOG_AUTHPRIV LOG_AUTH +#endif + int QueryServerForUser(int x, char *username, char *password) { diff --git a/helpers/basic_auth/MSNT/denyusers.c b/helpers/basic_auth/MSNT/denyusers.c index a339679fec..b0a28fb952 100644 --- a/helpers/basic_auth/MSNT/denyusers.c +++ b/helpers/basic_auth/MSNT/denyusers.c @@ -127,6 +127,7 @@ int Check_ifuserdenied(char *ConnectingUser) { static char CUBuf[NAMELEN + 1]; + static char CUBuf1[NAMELEN + 1]; static int x; static char DenyMsg[256]; @@ -142,8 +143,8 @@ Check_ifuserdenied(char *ConnectingUser) * If so, deny. If not, allow. Reconstruct the username * to have whitespace, to avoid finding wrong string subsets. */ - sscanf(ConnectingUser, " %s ", CUBuf); - sprintf(CUBuf, " %s ", CUBuf); + sscanf(ConnectingUser, " %s ", CUBuf1); + sprintf(CUBuf, " %s ", CUBuf1); for (x = 0; x <= strlen(CUBuf); x++) CUBuf[x] = toupper(CUBuf[x]); @@ -151,7 +152,7 @@ Check_ifuserdenied(char *ConnectingUser) if (strstr(DeniedUsers, CUBuf) == NULL) return 0; else { - sprintf(DenyMsg, "Denied access to user '%s'.", CUBuf); + sprintf(DenyMsg, "Denied access to user '%s'.", CUBuf1); syslog(LOG_USER | LOG_ERR, DenyMsg); return 1; } diff --git a/helpers/basic_auth/MSNT/msntauth-v2.0.lsm b/helpers/basic_auth/MSNT/msntauth-v2.0.lsm index 0ad7d98da7..f50d16f161 100644 --- a/helpers/basic_auth/MSNT/msntauth-v2.0.lsm +++ b/helpers/basic_auth/MSNT/msntauth-v2.0.lsm @@ -1,13 +1,13 @@ Begin3 Title: msntauth Version: 2.0 -Entered-date: 10OCT00 +Entered-date: 01SEP01 Description: Squid web proxy NT domain authentication module Keywords: Squid WWW proxy SMB NT domain authentication module source -Author: antonino.iannella@usa.net (Antonino Iannella) -Maintained-by: antonino.iannella@usa.net (Antonino Iannella) +Author: antonino@rager.com.au (Antonino Iannella) +Maintained-by: antonino@rager.com.au (Antonino Iannella) Primary-site: sunsite.unc.edu /pub/Linux/system/network/misc msntauth-v2.0.tgz -Original-site: http://stellarx.tripod.com +Original-site: http://members.tripod.com/stellarx Copying-policy: GPL End diff --git a/helpers/basic_auth/MSNT/msntauth.c b/helpers/basic_auth/MSNT/msntauth.c index 4f9da6a9ca..2fcb22e11c 100644 --- a/helpers/basic_auth/MSNT/msntauth.c +++ b/helpers/basic_auth/MSNT/msntauth.c @@ -1,8 +1,8 @@ /* * MSNT - Microsoft Windows NT domain squid authenticator module - * Version 1.2 by Stellar-X Pty Ltd, Antonino Iannella - * Fri Sep 22 00:56:05 CST 2000 + * Version 2.0 by Stellar-X Pty Ltd, Antonino Iannella + * Sun Sep 2 14:39:53 CST 2001 * * Modified to act as a Squid authenticator module. * Removed all Pike stuff. @@ -12,7 +12,7 @@ * Andrew Tridgell 1997 * Richard Sharpe 1996 * Bill Welliver 1999 - * Duane Wessels 2000 + * Duane Wessels 2000 (wessels@squid-cache.org) * * Released under GNU Public License * @@ -36,6 +36,8 @@ #include #include +#define MSNTVERSION "Msntauth v2.0.3 (C) 2 Sep 2001 Stellar-X Antonino Iannella." + extern int OpenConfigFile(); extern int QueryServers(char *, char *); extern void Checktimer(); @@ -55,6 +57,10 @@ main() char username[256]; char password[256]; char wstr[256]; + char ver[100]; + + /* Hidden way to imbed the authenticator release version */ + strcpy(ver, MSNTVERSION); /* Read configuration file. Abort wildly if error. */ if (OpenConfigFile() == 1) @@ -82,10 +88,11 @@ main() if (fgets(wstr, 255, stdin) == NULL) break; - /* Clear any current settings */ + /* Clear any current settings. Read new ones. Use \n as a + * convenient EOL marker which is not even there. */ username[0] = '\0'; password[0] = '\0'; - sscanf(wstr, "%s %s", username, password); /* Extract parameters */ + sscanf(wstr, "%s %[^\n]", username, password); /* Extract parameters */ /* Check for invalid or blank entries */ if ((username[0] == '\0') || (password[0] == '\0')) { diff --git a/helpers/basic_auth/MSNT/rfcnb-io.c b/helpers/basic_auth/MSNT/rfcnb-io.c index c69a3675c3..d7e287d1cf 100644 --- a/helpers/basic_auth/MSNT/rfcnb-io.c +++ b/helpers/basic_auth/MSNT/rfcnb-io.c @@ -81,7 +81,9 @@ RFCNB_Set_Timeout(int seconds) for (temp = 0; temp < 32; temp++) inact.sa_mask.__val[temp] = 0; #else - inact.sa_mask = 0; + /* AI - If you have problems with this line, contact the author */ + /* AI - This is the old line: inact.sa_mask = 0; */ + memset(&inact.sa_mask, 0, sizeof(inact.sa_mask)); #endif #endif inact.sa_flags = 0; /* Don't restart */ diff --git a/helpers/basic_auth/MSNT/smbencrypt.c b/helpers/basic_auth/MSNT/smbencrypt.c index 0bd847f9cb..5d341c0a85 100644 --- a/helpers/basic_auth/MSNT/smbencrypt.c +++ b/helpers/basic_auth/MSNT/smbencrypt.c @@ -28,7 +28,11 @@ #include #include #include -/* Antonino #include */ + +/* AI inclusion for Solaris filesystem */ +#ifdef SOLARIS +#include +#endif #include "smblib-priv.h" #define uchar unsigned char diff --git a/helpers/basic_auth/MSNT/smblib-util.c b/helpers/basic_auth/MSNT/smblib-util.c index f4f8026a4b..dc30fa63a0 100644 --- a/helpers/basic_auth/MSNT/smblib-util.c +++ b/helpers/basic_auth/MSNT/smblib-util.c @@ -30,8 +30,8 @@ #include "rfcnb-util.h" #include -#include #include +#include char *SMB_Prots[] = {"PC NETWORK PROGRAM 1.0", diff --git a/helpers/basic_auth/MSNT/smblib.c b/helpers/basic_auth/MSNT/smblib.c index 725b026846..b42e41a39b 100644 --- a/helpers/basic_auth/MSNT/smblib.c +++ b/helpers/basic_auth/MSNT/smblib.c @@ -37,7 +37,6 @@ int SMBlib_SMB_Error; #include #include #include - #include SMB_State_Types SMBlib_State;