negotiate_kerberos_auth(8)

1negotiate_kerberos_auth(8)  System Manager's Manual negotiate_kerberos_auth(8)
2
3
4

NAME

6       negotiate_kerberos_auth - Squid kerberos based authentication helper
7
8       Version 3.0.4sq
9

SYNOPSIS

11       negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]
12

DESCRIPTION

14       negotiate_kerberos_auth  is  an  installed  binary  and allows Squid to
15       authenticate users via the Negotiate protocol and Kerberos.
16
17

OPTIONS

19       -h          Display the binary help and command line syntax info  using
20                   stderr.
21
22       -d          Write debug messages to stderr.
23
24       -i          Write informational messages to stderr.
25
26       -r          Remove realm from username before returning the username to
27                   squid.
28
29       -s Service-Principal-name
30                   Provide Service Principal Name.
31

CONFIGURATION

33       This helper is intended to be  used  as  an  authentication  helper  in
34       squid.conf.
35
36       auth_param negotiate program /path/to/negotiate_kerberos_auth
37       auth_param negotiate children 10
38       auth_param negotiate keep_alive on
39
40       NOTE: The following squid startup file modification may be required:
41
42       Add the following lines to the squid startup script to point squid to a
43       keytab file which contains the  HTTP/fqdn  service  principal  for  the
44       default  Kerberos  domain. The fqdn must be the proxy name set in IE or
45       firefox. You can not use an IP address.
46
47       KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME
48
49       If you use a different Kerberos domain than the machine  itself  is  in
50       you can point squid to the seperate Kerberos config file by setting the
51       following environmnet variable in the startup script.
52
53       KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG
54
55       Kerberos can keep a replay cache to detect the reuse of Kerberos  tick‐
56       ets  (usually  only  possible in a 5 minute window) . If squid is under
57       high load with Negotiate(Kerberos) proxy  authentication  requests  the
58       replay  cache  checks can create high CPU load. If the environment does
59       not require high security the replay cache check can  be  disabled  for
60       MIT  based  Kerberos  implementations  by  adding  the following to the
61       startup script
62
63       KRB5RCACHETYPE=none export KRB5RCACHETYPE
64
65       If negotiate_kerberos_auth doesn't determine for some reason the  right
66       service principal you can provide it with -s HTTP/fqdn.
67
68       If  you  serve  multiple  Kerberos realms add a HTTP/fqdn@REALM service
69       principal  per  realm  to  the  HTTP.keytab  file  and   use   the   -s
70       GSS_C_NO_NAME option with negotiate_kerberos_auth.
71
72

AUTHOR

74       This   program  was  written  by  Markus  Moeller  <markus_moeller@com‐
75       puserve.com>
76
77       This  manual  was  written  by  Markus   Moeller   <markus_moeller@com‐
78       puserve.com>
79

COPYRIGHT

81       This program and documentation is copyright to the authors named above.
82
83       Distributed under the GNU General Public License (GNU GPL) version 2 or
84       later (GPLv2+).
85

QUESTIONS

87       Questions on the usage of this program can be sent to the  Squid  Users
88       mailing list <squid-users@squid-cache.org>
89

REPORTING BUGS

91       Bug  reports  need  to  be  made  in  English.   See http://wiki.squid-
92       cache.org/SquidFaq/BugReporting for details of what you need to include
93       with your bug report.
94
95       Report bugs or bug fixes using http://bugs.squid-cache.org/
96
97       Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>
98
99       Report  ideas for new improvements to the Squid Developers mailing list
100       <squid-dev@squid-cache.org>
101