Article delegate-en/1038 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1037@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: How to authenticate users?
28 Feb 2001 03:28:42 GMT ysato@delegate.org (Yutaka Sato)


 |> Could you tell me why the authentication must be done at DeleGate
 |> rather than the target HTTP server ?
 |
 |Because one of the target HTTP servers does not support authentication.
 |
 |Because the target HTTP servers are behind a firewall, and I don't
 |want to authenticate all users coming in to them, only the ones that
 |_don't_ come in from the local LAN.  So, I want to set up Delegate
 |as the gateway between the internet and the LAN based HTTP servers,
 |so that internet users have to authenticate, but LAN users do not.

I see.

On 02/23/01(13:24) you wrote in <_A1033@delegate-en.ML_>
 |Now, I have written a perl script that can access the RADIUS server,
 |and determine whether a user name / password is valid, based on the
 |code here, and using it as a FFROMCL script:

FFROMCL is not recommended in your case since its overhead is heavy
especially when used with light weight protocol like HTTP.

On 02/27/01(07:01) you wrote in <_A1034@delegate-en.ML_>
 |I read the instructions under the AUTH parameter and used these
 |config options:
 |
 |        AUTH=proxy:pauth \

Since your DeleGate is working as if it is an origin server from the
viewpoint of client,

  AUTH=origin:auth 

is a proper parameter.  AUTH=proxy:pauth requires "Proxy-Authorization:"
which will be consumed at a client side proxy server if exists.
In contrast, AUTH=origin:auth requires "Authorization:" which will be
propagated to the target (origin) server.

 |The documentation on AUTH and AUTHORIZER in this situation is very
 |unclear, and so I'm having to read the code to find out what goes
 |on, but the code is also fairly unclear and lacks good comments.  Can
 |someone tell me what path the code takes in trying to validate a
 |user?

Obviously, current authentication/authorization mechanism of DeleGate
is nothing more than a result of unsuccessful trials in early times.


On 02/27/01(08:45) you wrote in <_A1035@delegate-en.ML_>
 |AUTHORIZER parameter ==  AUTHORIZER=authServList[:connMap]
 |       authServList  ==  authServ[,authServ]* | & | *
 |           authServ  ==  authHost[/portNum]
...
 |                    --  restriction: applicable to Telnet, FTP and NNTP
 |
 |... what do the words "restriction: applicable to Telnet, FTP and NNTP"
 |mean?  Does it mean that only Telnet, FTP and NNTP can be authenticated?

Yes.

 |Does it mean that only Telnet, FTP and NNTP can be used as the authentication
 |protocols, but HTTPS users can be authenticated?

No. AUTH=origin:auth with PERMIT="*:*:*@authhost" allows access only
if a request contains Authorization with a username in a form of
"xxx@authhost" with a password "yyy", and login to ftp://authhost
with the username "xxx" and the password "yyy" succeeds.
This design is not good in two points: requiring "@authhost" for
clients can be undesirable, and standard port of FTP (21) can be
unavailable for an authentication server (which may be programmed
by users) for DeleGate.

AUTHORIZER, which was introduced later, solved these problem.
With this, "@authhost" part is not required, and
AUTHORIZER=authhost/9999 will use auth-server at port 9999 on authhost.
But it has not been applicable to HTTP yet.  So I made a tentative
patch and enclosed. It will enable a usage like:

  AUTH=origin:auth          ... require Authorization
  AUTHORIZER=authhost/port  ... authenticated as ftp://user:pass@authhost:port
  PERMIT="*:*:*@authhost"   ... allow everyone if authorized at authhost

I wrote about how to make an authorizer, which act as a FTP server,
by yourself  in the article:
<URL:http://www.delegate.org/mail-lists/delegate-en/00969>

Cheers,
Yutaka
--
Yutaka Sato <ysato@delegate.org> http://www.delegate.org/~ysato/   @ @ 
Computer Science Division, Electrotechnical Laboratory            ( - )
1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan                  _<   >_


diff -c ../../delegate7.1.0/src/access.c ./access.c
*** ../../delegate7.1.0/src/access.c	Thu Feb 15 15:05:28 2001
--- ./access.c	Wed Feb 28 12:38:17 2001
***************
*** 852,857 ****
--- 852,874 ----
  	return ok;
  }
  
+ doAuth(Conn,ident)
+ 	Connection *Conn;
+ 	AuthInfo *ident;
+ {	int rcode;
+ 	char authserv[256],userpass[256];
+ 
+ 	if( find_CMAP(Conn,AUTHSERV_MAP,authserv) < 0 )
+ 		return 0;
+ 	sprintf(userpass,"%s:%s",ident->i_user,ident->i_pass);
+ 	rcode = doAUTH(Conn,NULL,NULLFP(),DST_PROTO,DST_HOST,0,
+ 			userpass,ident->i_addr.a_name,NULL,NULL);
+ 	sv1log("AUTHORIZER=%s host=[%s] user=[%s] -> %s\n",
+ 		authserv,ident->i_addr.a_name,ident->i_user,rcode==0?"OK":"NO");
+ 	if( rcode == 0 )
+ 		return 1;
+ 	else	return -1;
+ }
  doAUTH(Conn,fc,tc,dstproto,dsthost,dstport,auser,ahost,func,arg)
  	Connection *Conn;
  	FILE *fc,*tc;
diff -c ../../delegate7.1.0/src/httphead.c ./httphead.c
*** ../../delegate7.1.0/src/httphead.c	Sat Feb 10 22:21:09 2001
--- ./httphead.c	Wed Feb 28 12:42:11 2001
***************
*** 1184,1189 ****
--- 1184,1201 ----
  	int vno,totalc;
  	char *host,*user,*pass;
  
+ 	if( HTTP_getAuthorization(Conn,pauth,&ident,0) ){
+ 		int rcode;
+ 		if( rcode = doAuth(Conn,&ident) ){
+ 			if( 0 < rcode ){
+ 				ClientAuth = ident;
+ 				if( service_permitted2(Conn,DST_PROTO,1) )
+ 					return 1;
+ 				ClientAuthUser[0] = 0;
+ 			}
+ 			return 0;
+ 		}
+ 	}
  	if( HTTP_getAuthorization(Conn,pauth,&ident,1) ){
  		host = ident.i_addr.a_name;
  		user = ident.i_user;

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V