Author: Markus Moeller <markus_moeller@compuserve.com>

Update squid_kerb_auth helper to 1.0.3 release

Also add missing config.test file (empty) so
 --enable-negotiate-auth-helpers=X will build it with Squid.

  squid_kerb_auth 1.0.3 Official ReadMe file:

--------------------------------------------------------------------------------
readme.txt is the squid_kerb_auth read-me file.

Author: Markus Moeller (markus_moeller at compuserve.com)

Copyright (C) 2007 Markus Moeller. All rights reserved.
--------------------------------------------------------------------------------

squid_kerb_auth Read Me

Markus Moeller
May 12, 2007

1 Introduction

squid_kerb_auth is a reference implementation that supports authentication via
the Negotiate RFC 4559 for proxies. It decodes RFC 2478 SPNEGO GSS-API tokens
from IE7 either through helper functions or via SPNEGO supporting Kerberos libraries
and RFC 1964 Kerberos tokens from Firefox on Linux. Currently, squid_kerb_auth
 supports Squid 2.6 on Linux.

squid_auth_kerb requires either MIT or Heimdal Kerberos libraries and header files.

2 Building and Installation

Run ./configure

for help use ./configure --help

Copy the helper squid_kerb_auth to an apropriate directory.

3 Configuration

a) Configure IE or Firefox to point to the squid proxy by using the fqdn. IE and Firefox will use the
fqdn to query for a HTTP/fqdn Kerberos service principal.

b) Create a keytab which contains the HTTP/fqdn Kerberos service principal and place it into a directory
where the squid run user can read the keytab.

c) Add the following line to squid.conf

auth_param negotiate program /usr/sbin/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

d) Modify squid startup file

Add the following lines to the squid startup script to point squid to a keytab file which
contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be
the proxy name set in IE or firefox. You can not use an IP address.

KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME

If you use a different Kerberos domain than the machine itself is in you can point squid to
the seperate Kerberos config file by setting the following environmnet variable in the startup
script.

KRB5_CONFIG=/etc/krb-squid5.conf
export KRB5_CONFIG

4 Miscellaneous

If squid_kerb_auth doesn't determine for some reason the right service principal you can provide
it with -s HTTP/fqdn.

If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the
HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth.