TAG NAME auth_param

Description Provides an interface to the external authentication interface within Squid
Build Option
 Default
Usage
 auth_param scheme parameter [setting]
Default
 netdb_ping_period 5 minutes
Synopsis
This is used to pass parameters to the various authentication schemes making users to be authenticated in a number of ways. various schemes are explained below.

Scheme
 Parameter Explanation
basic “program” cmdline Specify the command for the external authenticator.  Such a program reads a line containing “username
password” and replies “OK” or “ERR” in an endless loop.  If you use an authenticator, make sure you have 1 acl
of type proxy_auth. By default, the basic authentication sheme is not used unless a program is specified.

If you want to use the traditional proxy authentication, jump over to the ../auth_modules/NCSA directory and
type:
% make
% make install

Then, set this line to something like

auth_param basic program /usr/local/Squid/bin/ncsa_auth /usr/local/Squid/etc/passwd
“children” numberofchildren The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for them
to process a backlog of usercode/password verifications, slowing it down. When password verifications are done
via a (slow) network you are likely to need lots of authenticator processes.

auth_param basic children 5
“concurrency” concurrency The number of concurrent requests the helper can process. The default of 0 is used for helpers who only
supports one request at a time.

auth_param basic concurrency 0
“realm” realmstring Specifies the realm name which is to be reported to the client for the basic proxy authentication scheme (part of
the text the user will see when prompted their username and password). There is no default.

auth_param basic realm Squid proxy-caching web server
“credentialsttl” timetolive Specifies how long Squid assumes an externally validated username:password pair is valid for – in other words
how often the helper program is called for that user. Set this low to force revalidation with short lived
passwords.  Note that setting this high does not impact your susceptability to replay attacks unless you are
using an one-time password system (such as SecureID).  If you are using such a system, you will be
vulnerable to replay attacks unless you also use the max_user_ip ACL in an http_access rule.
“casesensitive” on|off Specifies if usernames are case sensitive. Most user databases are case insensitive allowing the same username to be spelled using both lower and upper case letters, but some are case sensitive.

auth_param basic casesensitive off
“blankpassword” on|off Specifies if blank passwords should be supported. Defaults to off as there is multiple authentication backends which handles blank passwords as “guest” access.
digest “program” cmdline Specify the command for the external authenticator.  Such a program reads a line containing
“username”:”realm” and replies with the appropriate H(A1) value base64 encoded. See rfc 2616 for the
definition of H(A1).  If you use an authenticator, make sure you have 1 acl of type proxy_auth. By default,
authentication is not used.

If you want to use build an authenticator, jump over to the ../digest_auth_modules directory and choose the
authenticator to use. It’s directory type
% make
% make install

Then, set this line to something like

auth_param digest program /usr/local/Squid/bin/digest_auth_pw /usr/local/Squid/etc/digpass
“children” number of children The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for
them to process a backlog of H(A1) calculations, slowing it down. When the H(A1) calculations are done via a
(slow) network you are likely to need lots of authenticator processes.

auth_param digest children 5
“realm” realmstring Specifies the realm name which is to be reported to the client for the digest proxy authentication scheme (part
of the text the user will see when prompted their username and password). There is no default.

auth_param digest realm Squid proxy-caching web server
“nonce_garbage_interval” timeinterval Specifies the interval that nonces that have been issued to client_agent’s are checked for validity.
“nonce_max_duration” timeinterval Specifies the maximum length of time a given nonce will be valid for.

auth_param digest nonce_max_duration 30 minutes
“nonce_max_count” number Specifies the maximum number of times a given nonce can be used.

auth_param digest nonce_max_count 50
“nonce_strictness” on|off Determines if squid requires strict increment-by-1 behavior for nonce counts, or just incrementing

auth_param digest nonce_strictness off
“check_nonce_count” on|off This directive if set to off can disable the nonce count check completely to work around buggy digest qop
implementations in certain mainstream browser versions.

auth_param digest check_nonce_count on
“post_workaround” on|off This is a workaround to certain buggy browsers who sends an incorrect request digest in POST
requests when reusing the same nonce as acquired earlier in response to a GET request.

auth_param digest post_workaround off
NTLM “program” cmdline Specify the command for the external ntlm authenticator. Such a program reads a line containing the
uuencoded NEGOTIATE and replies with the ntlm CHALLENGE, then waits for the response and answers with
“OK” or “ERR” in an endless loop. If you use an ntlm authenticator, make sure you have 1 acl of type
proxy_auth.  By default, the ntlm authenticator_program is not used.

auth_param ntlm program /usr/local/Squid/bin/ntlm_auth
“children” number of children The number of authenticator processes to spawn (no default). If you start too few Squid will have to wait for
them to process a backlog of credential verifications, slowing it down. When crendential verifications are done
via a (slow) network you are likely to need lots of authenticator processes.

auth_param ntlm children 5
“keep_alive” on|off This option enables the use of keep-alive on the initial authentication request. It has been reported some
versions of MSIE have problems if this is enabled, but performance will be increased if enabled.

auth_param ntlm keep_alive on
Negotiate “program” cmdline
Specify the command for the external Negotiate authenticator. Such a program participates in the SPNEGO exchanges
between Squid and the client and reads commands according to the Squid ntlmssp helper protocol. See helpers/ntlm_auth/
for details. Recommended SPNEGO authenticator is ntlm_auth from Samba-4.X.

auth_param negotiate program /path/to/samba/bin/ntlm_auth –helper-protocol=gss-spnego
“children” numberofchildren
 The number of authenticator processes to spawn. If you start too few squid will have to wait for them to process a
backlog of credential verifications, slowing it down.

auth_param negotiate children 5
“keep_alive” on|off
 If you experience problems with PUT/POST requests when using the Negotiate authentication scheme then you can try
setting this to off.

auth_param negotiate keep_alive on

Note: Once an authentication scheme is fully configured, it can only be shutdown by shutting Squid down and restarting.

Arguments

scheme
 One of the above mentioned authentication scheme
parameter
 various parameters for the schemes as listed above

Example(s)
auth_param basic program /usr/local/Squid/bin/ncsa_auth /usr/local/Squid/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Recommended minimum configuration
auth_param digest program <uncomment and complete this line>
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50

auth_param ntlm program <uncomment and complete this line to activate>
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program <uncomment and complete this line to activate>
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours