1negotiate_kerberos_auth(8)  System Manager's Manual negotiate_kerberos_auth(8)
2
3
4

NAME

6       negotiate_kerberos_auth - Squid kerberos based authentication helper
7
8       Version 3.0.4sq
9

SYNOPSIS

11       negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]
12       [-k Keytab-Name] [-c Replay-Cache-Directory] [-t Replay-Cache-Type]
13

DESCRIPTION

15       negotiate_kerberos_auth is an installed  binary  and  allows  Squid  to
16       authenticate users via the Negotiate protocol and Kerberos.
17
18

OPTIONS

20       -h          Display  the binary help and command line syntax info using
21                   stderr.
22
23       -d          Write debug messages to stderr.
24
25       -i          Write informational messages to stderr.
26
27       -r          Remove realm from username before returning the username to
28                   squid.
29
30       -s Service-Principal-name
31                   Provide Service Principal Name.
32
33       -k Keytab-Name
34                   Provide Kerberos Keytab Name (Default: /etc/krb5.keytab)
35
36       -c Replay-Cache-Directory
37                   Provide Replay Cache Directory (Default: /var/tmp)
38
39       -t Replay-Cache-Type
40                   Provide Replay Cache Type (Default: dfl)
41

CONFIGURATION

43       This  helper  is  intended  to  be  used as an authentication helper in
44       squid.conf.
45
46       auth_param negotiate program /path/to/negotiate_kerberos_auth
47       auth_param negotiate children 10
48       auth_param negotiate keep_alive on
49
50       NOTE: The following squid startup file modification may be required:
51
52       Add the following lines to the squid startup script to point squid to a
53       keytab  file  which  contains  the  HTTP/fqdn service principal for the
54       default Kerberos domain. The keytab name can also be provided by the -k
55       <keytab name> option. The fqdn must be the proxy name set in IE
56        or firefox. You can not use an IP address.
57
58       KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME
59
60       If  you  use  a different Kerberos domain than the machine itself is in
61       you can point squid to the separate Kerberos config file by setting the
62       following environment variable in the startup script.
63
64       KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG
65
66       Kerberos  can keep a replay cache to detect the reuse of Kerberos tick‐
67       ets (usually only possible in a 5 minute window) . If  squid  is  under
68       high  load  with  Negotiate(Kerberos) proxy authentication requests the
69       replay cache checks can create high CPU load. If the  environment  does
70       not  require  high  security the replay cache check can be disabled for
71       MIT based Kerberos implementations by adding the below to  the  startup
72       script or use the -t none option.
73
74       KRB5RCACHETYPE=none export KRB5RCACHETYPE
75
76       If  negotiate_kerberos_auth doesn't determine for some reason the right
77       service principal you can provide it with -s HTTP/fqdn.
78
79       If you serve multiple Kerberos realms  add  a  HTTP/fqdn@REALM  service
80       principal   per   realm   to  the  HTTP.keytab  file  and  use  the  -s
81       GSS_C_NO_NAME option with negotiate_kerberos_auth.
82
83

AUTHOR

85       This  program  was  written  by  Markus  Moeller   <markus_moeller@com‐
86       puserve.com>
87
88       This   manual   was  written  by  Markus  Moeller  <markus_moeller@com‐
89       puserve.com>
90

COPYRIGHT

92        * Copyright (C) 1996-2014 The Squid Software Foundation and  contribu‐
93       tors
94        *
95        * Squid software is distributed under GPLv2+ license and includes
96        * contributions from numerous individuals and organizations.
97        * Please see the COPYING and CONTRIBUTORS files for details.
98
99       This program and documentation is copyright to the authors named above.
100
101       Distributed under the GNU General Public License (GNU GPL) version 2 or
102       later (GPLv2+).
103

QUESTIONS

105       Questions on the usage of this program can be sent to the  Squid  Users
106       mailing list <squid-users@lists.squid-cache.org>
107

REPORTING BUGS

109       Bug     reports     need     to    be    made    in    English.     See
110       http://wiki.squid-cache.org/SquidFaq/BugReporting for details  of  what
111       you need to include with your bug report.
112
113       Report bugs or bug fixes using http://bugs.squid-cache.org/
114
115       Report      serious      security      bugs      to      Squid     Bugs
116       <squid-bugs@lists.squid-cache.org>
117
118       Report ideas for new improvements to the Squid Developers mailing  list
119       <squid-dev@lists.squid-cache.org>
120

SEE ALSO

122       squid(8) ext_kerberos_ldap_group_acl(8)
123       RFC4559  - SPNEGO-based Kerberos and NTLM HTTP Authentication in Micro‐
124       soft Windows,
125       RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
126       RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
127       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
128       The Squid Configuration  Manual  http://www.squid-cache.org/Doc/config/
129       http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
130
131
132
133                                                    negotiate_kerberos_auth(8)