]>
Commit | Line | Data |
---|---|---|
d3969417 AM |
1 | Index: squid/src/cf.data.pre |
2 | diff -c squid/src/cf.data.pre:1.245.2.27 squid/src/cf.data.pre:1.245.2.30 | |
3 | *** squid/src/cf.data.pre:1.245.2.27 Sun Sep 29 13:05:02 2002 | |
4 | --- squid/src/cf.data.pre Mon Oct 7 22:29:40 2002 | |
5 | *************** | |
6 | *** 1288,1294 **** | |
7 | to replay attacks unless you are using an one-time password | |
8 | system (such as SecureID). If you are using such a system, | |
9 | you will be vulnerable to replay attacks unless you also | |
10 | ! enable the IP ttl is strict option. | |
11 | ||
12 | === Parameters for the digest scheme follow === | |
13 | ||
14 | --- 1288,1294 ---- | |
15 | to replay attacks unless you are using an one-time password | |
16 | system (such as SecureID). If you are using such a system, | |
17 | you will be vulnerable to replay attacks unless you also | |
18 | ! use the max_user_ip ACL in an http_access rule. | |
19 | ||
20 | === Parameters for the digest scheme follow === | |
21 | ||
22 | *************** | |
23 | *** 1426,1448 **** | |
24 | LOC: Config.authenticateIpTTL | |
25 | DEFAULT: 0 seconds | |
26 | DOC_START | |
27 | ! With this option you control how long a proxy authentication | |
28 | ! will be bound to a specific IP address. If a request using | |
29 | ! the same user name is received during this time then access | |
30 | ! will be denied and both users are required to reauthenticate | |
31 | ! them selves. The idea behind this is to make it annoying | |
32 | ! for people to share their password to their friends, but | |
33 | ! yet allow a dialup user to reconnect on a different dialup | |
34 | ! port. | |
35 | ! | |
36 | ! The default is 0 to disable the check. Recommended value | |
37 | ! if you have dialup users are no more than 60 seconds to allow | |
38 | ! the user to redial without hassle. If all your users are | |
39 | ! stationary then higher values may be used. | |
40 | ! | |
41 | ! See also the acl max_user_ip. The max_user_ip acl replaces | |
42 | ! the authenticate_ip_ttl_is_strict option found in earlier | |
43 | ! Squid versions. | |
44 | DOC_END | |
45 | ||
46 | NAME: external_acl_type | |
47 | --- 1426,1438 ---- | |
48 | LOC: Config.authenticateIpTTL | |
49 | DEFAULT: 0 seconds | |
50 | DOC_START | |
51 | ! If you use proxy authentication and the 'max_user_ip' ACL, | |
52 | ! this directive controls how long Squid remembers the IP | |
53 | ! addresses associated with each user. Use a small value | |
54 | ! (e.g., 60 seconds) if your users might change addresses | |
55 | ! quickly, as is the case with dialups. You might be safe | |
56 | ! using a larger value (e.g., 2 hours) in a corporate LAN | |
57 | ! environment with relatively static address assignments. | |
58 | DOC_END | |
59 | ||
60 | NAME: external_acl_type | |
61 | *************** | |
62 | *** 1968,1982 **** | |
63 | ||
64 | acl aclname max_user_ip [-s] number | |
65 | # This will be matched when the user attempts to log in from more | |
66 | ! # than <number> different ip address's. The authenticate_ip_ttl | |
67 | # parameter controls the timeout on the ip entries. | |
68 | # If -s is specified then the limit is strict, denying browsing | |
69 | # from any further IP addresses until the ttl has expired. Without | |
70 | ! # -s Squid will just annoy the user by "randomly" deny requests. | |
71 | # (the counter is then reset each time the limit is reached and a | |
72 | # request is denied) | |
73 | # NOTE: in acceleration mode or where there is mesh of child proxies, | |
74 | ! # clients may appear to come from multiple address's if they are | |
75 | # going through proxy farms, so a limit of 1 may cause user problems. | |
76 | ||
77 | acl aclname req_mime_type mime-type1 ... | |
78 | --- 1958,1972 ---- | |
79 | ||
80 | acl aclname max_user_ip [-s] number | |
81 | # This will be matched when the user attempts to log in from more | |
82 | ! # than <number> different ip addresses. The authenticate_ip_ttl | |
83 | # parameter controls the timeout on the ip entries. | |
84 | # If -s is specified then the limit is strict, denying browsing | |
85 | # from any further IP addresses until the ttl has expired. Without | |
86 | ! # -s Squid will just annoy the user by "randomly" denying requests. | |
87 | # (the counter is then reset each time the limit is reached and a | |
88 | # request is denied) | |
89 | # NOTE: in acceleration mode or where there is mesh of child proxies, | |
90 | ! # clients may appear to come from multiple addresses if they are | |
91 | # going through proxy farms, so a limit of 1 may cause user problems. | |
92 | ||
93 | acl aclname req_mime_type mime-type1 ... | |
94 | Index: squid/src/authenticate.c | |
95 | diff -c squid/src/authenticate.c:1.36.2.3 squid/src/authenticate.c:1.36.2.6 | |
96 | *** squid/src/authenticate.c:1.36.2.3 Wed Oct 2 03:02:29 2002 | |
97 | --- squid/src/authenticate.c Mon Oct 7 21:31:06 2002 | |
98 | *************** | |
99 | *** 244,250 **** | |
100 | return NULL; | |
101 | } | |
102 | ||
103 | ! void | |
104 | authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr) | |
105 | { | |
106 | auth_user_ip_t *ipdata, *tempnode; | |
107 | --- 244,250 ---- | |
108 | return NULL; | |
109 | } | |
110 | ||
111 | ! static void | |
112 | authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request, struct in_addr ipaddr) | |
113 | { | |
114 | auth_user_ip_t *ipdata, *tempnode; | |
115 | *************** | |
116 | *** 265,271 **** | |
117 | tempnode = (auth_user_ip_t *) ipdata->node.next; | |
118 | /* walk the ip list */ | |
119 | if (ipdata->ipaddr.s_addr == ipaddr.s_addr) { | |
120 | ! /* This ip has alreadu been seen. */ | |
121 | found = 1; | |
122 | /* update IP ttl */ | |
123 | ipdata->ip_expiretime = squid_curtime; | |
124 | --- 265,271 ---- | |
125 | tempnode = (auth_user_ip_t *) ipdata->node.next; | |
126 | /* walk the ip list */ | |
127 | if (ipdata->ipaddr.s_addr == ipaddr.s_addr) { | |
128 | ! /* This ip has already been seen. */ | |
129 | found = 1; | |
130 | /* update IP ttl */ | |
131 | ipdata->ip_expiretime = squid_curtime; | |
132 | *************** | |
133 | *** 438,446 **** | |
134 | } | |
135 | /* | |
136 | * a note on proxy_auth logix here: | |
137 | ! * proxy_auth==NULL -> unauthenticated request || already authenticated connection | |
138 | ! * so we test for an authenticated connection when we recieve no authentication | |
139 | ! * header. | |
140 | */ | |
141 | if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(*auth_user_request ? *auth_user_request : conn->auth_user_request))) | |
142 | || (conn->auth_type == AUTH_BROKEN)) { | |
143 | --- 438,446 ---- | |
144 | } | |
145 | /* | |
146 | * a note on proxy_auth logix here: | |
147 | ! * proxy_auth==NULL -> unauthenticated request || already | |
148 | ! * authenticated connection so we test for an authenticated | |
149 | ! * connection when we recieve no authentication header. | |
150 | */ | |
151 | if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(*auth_user_request ? *auth_user_request : conn->auth_user_request))) | |
152 | || (conn->auth_type == AUTH_BROKEN)) { | |
153 | *************** | |
154 | *** 585,591 **** | |
155 | *auth_user_request = t; | |
156 | return t->lastReply; | |
157 | } | |
158 | - | |
159 | /* ok, call the actual authenticator routine. */ | |
160 | result = authenticateAuthenticate(auth_user_request, headertype, request, conn, src_addr); | |
161 | t = *auth_user_request ? *auth_user_request : conn->auth_user_request; | |
162 | --- 585,590 ---- | |
163 | *************** | |
164 | *** 734,741 **** | |
165 | } | |
166 | } | |
167 | } | |
168 | ! /* allow protocol specific headers to be _added_ to the existing response - ie | |
169 | ! * digest auth | |
170 | */ | |
171 | if ((auth_user_request != NULL) && (auth_user_request->auth_user->auth_module > 0) | |
172 | && (authscheme_list[auth_user_request->auth_user->auth_module - 1].AddHeader)) | |
173 | --- 733,741 ---- | |
174 | } | |
175 | } | |
176 | } | |
177 | ! /* | |
178 | ! * allow protocol specific headers to be _added_ to the existing | |
179 | ! * response - ie digest auth | |
180 | */ | |
181 | if ((auth_user_request != NULL) && (auth_user_request->auth_user->auth_module > 0) | |
182 | && (authscheme_list[auth_user_request->auth_user->auth_module - 1].AddHeader)) | |
183 | *************** | |
184 | *** 811,827 **** | |
185 | return auth_user->references; | |
186 | } | |
187 | ||
188 | ! /* Combine two user structs. ONLY to be called from within a scheme module. | |
189 | ! * The scheme module is responsible for ensuring that the two users _can_ be merged | |
190 | ! * without invalidating all the request scheme data. | |
191 | ! * the scheme is also responsible for merging any user related scheme data itself. */ | |
192 | void | |
193 | authenticateAuthUserMerge(auth_user_t * from, auth_user_t * to) | |
194 | { | |
195 | dlink_node *link, *tmplink; | |
196 | auth_user_request_t *auth_user_request; | |
197 | ! /* XXX combine two authuser structs. Incomplete: it should merge in hash references | |
198 | ! * too and ask the module to merge in scheme data */ | |
199 | debug(29, 5) ("authenticateAuthUserMerge auth_user '%p' into auth_user '%p'.\n", from, to); | |
200 | link = from->requests.head; | |
201 | while (link) { | |
202 | --- 811,833 ---- | |
203 | return auth_user->references; | |
204 | } | |
205 | ||
206 | ! /* | |
207 | ! * Combine two user structs. ONLY to be called from within a scheme | |
208 | ! * module. The scheme module is responsible for ensuring that the | |
209 | ! * two users _can_ be merged without invalidating all the request | |
210 | ! * scheme data. the scheme is also responsible for merging any user | |
211 | ! * related scheme data itself. | |
212 | ! */ | |
213 | void | |
214 | authenticateAuthUserMerge(auth_user_t * from, auth_user_t * to) | |
215 | { | |
216 | dlink_node *link, *tmplink; | |
217 | auth_user_request_t *auth_user_request; | |
218 | ! /* | |
219 | ! * XXX combine two authuser structs. Incomplete: it should merge | |
220 | ! * in hash references too and ask the module to merge in scheme | |
221 | ! * data | |
222 | ! */ | |
223 | debug(29, 5) ("authenticateAuthUserMerge auth_user '%p' into auth_user '%p'.\n", from, to); | |
224 | link = from->requests.head; | |
225 | while (link) { | |
226 | Index: squid/src/acl.c | |
227 | diff -c squid/src/acl.c:1.270.2.9 squid/src/acl.c:1.270.2.10 | |
228 | *** squid/src/acl.c:1.270.2.9 Wed Oct 2 03:02:29 2002 | |
229 | --- squid/src/acl.c Mon Oct 7 21:33:52 2002 | |
230 | *************** | |
231 | *** 1249,1255 **** | |
232 | return W; | |
233 | } | |
234 | ||
235 | ! /* aclMatchUserMaxIP - check for users logging in from multiple IP's | |
236 | * 0 : No match | |
237 | * 1 : Match | |
238 | */ | |
239 | --- 1249,1256 ---- | |
240 | return W; | |
241 | } | |
242 | ||
243 | ! /* | |
244 | ! * aclMatchUserMaxIP - check for users logging in from multiple IP's | |
245 | * 0 : No match | |
246 | * 1 : Match | |
247 | */ | |
248 | *************** | |
249 | *** 1258,1264 **** | |
250 | struct in_addr src_addr) | |
251 | { | |
252 | /* | |
253 | ! * > the logic for flush the ip list when the limit is hit vs keep it sorted in most recent access order and just drop the oldest one off is currently undecided | |
254 | */ | |
255 | acl_user_ip_data *acldata = data; | |
256 | ||
257 | --- 1259,1267 ---- | |
258 | struct in_addr src_addr) | |
259 | { | |
260 | /* | |
261 | ! * the logic for flush the ip list when the limit is hit vs keep | |
262 | ! * it sorted in most recent access order and just drop the oldest | |
263 | ! * one off is currently undecided | |
264 | */ | |
265 | acl_user_ip_data *acldata = data; | |
266 | ||
267 | *************** | |
268 | *** 1267,1280 **** | |
269 | ||
270 | /* this is a match */ | |
271 | if (acldata->flags.strict) { | |
272 | ! /* simply deny access - the user name is already associated with | |
273 | * the request | |
274 | */ | |
275 | /* remove _this_ ip, as it is the culprit for going over the limit */ | |
276 | authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); | |
277 | debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n"); | |
278 | } else { | |
279 | ! /* non-strict - remove some/all of the cached entries | |
280 | * ie to allow the user to move machines easily | |
281 | */ | |
282 | authenticateAuthUserRequestClearIp(auth_user_request); | |
283 | --- 1270,1285 ---- | |
284 | ||
285 | /* this is a match */ | |
286 | if (acldata->flags.strict) { | |
287 | ! /* | |
288 | ! * simply deny access - the user name is already associated with | |
289 | * the request | |
290 | */ | |
291 | /* remove _this_ ip, as it is the culprit for going over the limit */ | |
292 | authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr); | |
293 | debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n"); | |
294 | } else { | |
295 | ! /* | |
296 | ! * non-strict - remove some/all of the cached entries | |
297 | * ie to allow the user to move machines easily | |
298 | */ | |
299 | authenticateAuthUserRequestClearIp(auth_user_request); | |
300 | *************** | |
301 | *** 1288,1294 **** | |
302 | aclLookupProxyAuthStart(aclCheck_t * checklist) | |
303 | { | |
304 | auth_user_request_t *auth_user_request; | |
305 | ! assert(checklist->auth_user_request != NULL); /* this is created for us */ | |
306 | auth_user_request = checklist->auth_user_request; | |
307 | ||
308 | assert(authenticateValidateUser(auth_user_request)); | |
309 | --- 1293,1300 ---- | |
310 | aclLookupProxyAuthStart(aclCheck_t * checklist) | |
311 | { | |
312 | auth_user_request_t *auth_user_request; | |
313 | ! /* make sure someone created auth_user_request for us */ | |
314 | ! assert(checklist->auth_user_request != NULL); | |
315 | auth_user_request = checklist->auth_user_request; | |
316 | ||
317 | assert(authenticateValidateUser(auth_user_request)); | |
318 | Index: squid/src/protos.h | |
319 | diff -c squid/src/protos.h:1.420.2.13 squid/src/protos.h:1.420.2.14 | |
320 | *** squid/src/protos.h:1.420.2.13 Wed Oct 2 03:02:30 2002 | |
321 | --- squid/src/protos.h Tue Oct 8 10:08:30 2002 | |
322 | *************** | |
323 | *** 759,765 **** | |
324 | extern void authenticateAuthUserRequestLock(auth_user_request_t *); | |
325 | extern char *authenticateAuthUserRequestMessage(auth_user_request_t *); | |
326 | extern int authenticateAuthUserInuse(auth_user_t * auth_user); | |
327 | - extern void authenticateAuthUserRequestSetIp(auth_user_request_t *, struct in_addr); | |
328 | extern void authenticateAuthUserRequestRemoveIp(auth_user_request_t *, struct in_addr); | |
329 | extern void authenticateAuthUserRequestClearIp(auth_user_request_t *); | |
330 | extern size_t authenticateAuthUserRequestIPCount(auth_user_request_t *); | |
331 | --- 759,764 ---- |