1negotiate_kerberos_auth(8) System Manager's Manual negotiate_kerberos_auth(8)
2
3
4
6 negotiate_kerberos_auth - Squid kerberos based authentication helper
7
8 Version 3.0.4sq
9
11 negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]
12 [-k Keytab-Name] [-c Replay-Cache-Directory] [-t Replay-Cache-Type]
13
15 negotiate_kerberos_auth is an installed binary and allows Squid to au‐
16 thenticate users via the Negotiate protocol and Kerberos.
17
18
20 -h Display the binary help and command line syntax info using
21 stderr.
22
23 -d Write debug messages to stderr.
24
25 -i Write informational messages to stderr.
26
27 -r Remove realm from username before returning the username to
28 squid.
29
30 -s Service-Principal-name
31 Provide Service Principal Name.
32
33 -k Keytab-Name
34 Provide Kerberos Keytab Name (Default: /etc/krb5.keytab)
35
36 -c Replay-Cache-Directory
37 Provide Replay Cache Directory (Default: /var/tmp)
38
39 -t Replay-Cache-Type
40 Provide Replay Cache Type (Default: dfl)
41
43 This helper is intended to be used as an authentication helper in
44 squid.conf.
45
46 auth_param negotiate program /path/to/negotiate_kerberos_auth
47 auth_param negotiate children 10
48 auth_param negotiate keep_alive on
49
50 NOTE: The following squid startup file modification may be required:
51
52 Add the following lines to the squid startup script to point squid to a
53 keytab file which contains the HTTP/fqdn service principal for the de‐
54 fault Kerberos domain. The keytab name can also be provided by the -k
55 <keytab name> option. The fqdn must be the proxy name set in IE
56 or firefox. You can not use an IP address.
57
58 KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME
59
60 If you use a different Kerberos domain than the machine itself is in
61 you can point squid to the separate Kerberos config file by setting the
62 following environment variable in the startup script.
63
64 KRB5_CONFIG=/etc/krb5-squid.conf export KRB5_CONFIG
65
66 Kerberos can keep a replay cache to detect the reuse of Kerberos tick‐
67 ets (usually only possible in a 5 minute window) . If squid is under
68 high load with Negotiate(Kerberos) proxy authentication requests the
69 replay cache checks can create high CPU load. If the environment does
70 not require high security the replay cache check can be disabled for
71 MIT based Kerberos implementations by adding the below to the startup
72 script or use the -t none option.
73
74 KRB5RCACHETYPE=none export KRB5RCACHETYPE
75
76 If negotiate_kerberos_auth doesn't determine for some reason the right
77 service principal you can provide it with -s HTTP/fqdn.
78
79 If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service
80 principal per realm to the HTTP.keytab file and use the -s
81 GSS_C_NO_NAME option with negotiate_kerberos_auth.
82
83
85 This program was written by Markus Moeller <markus_moeller@com‐
86 puserve.com>
87
88 This manual was written by Markus Moeller <markus_moeller@com‐
89 puserve.com>
90
92 * Copyright (C) 1996-2014 The Squid Software Foundation and contribu‐
93 tors
94 *
95 * Squid software is distributed under GPLv2+ license and includes
96 * contributions from numerous individuals and organizations.
97 * Please see the COPYING and CONTRIBUTORS files for details.
98
99 This program and documentation is copyright to the authors named above.
100
101 Distributed under the GNU General Public License (GNU GPL) version 2 or
102 later (GPLv2+).
103
105 Questions on the usage of this program can be sent to the Squid Users
106 mailing list <squid-users@lists.squid-cache.org>
107
109 Bug reports need to be made in English. See
110 https://wiki.squid-cache.org/SquidFaq/BugReporting for details of what
111 you need to include with your bug report.
112
113 Report bugs or bug fixes using http://bugs.squid-cache.org/
114
115 Report serious security bugs to Squid Bugs
116 <squid-bugs@lists.squid-cache.org>
117
118 Report ideas for new improvements to the Squid Developers mailing list
119 <squid-dev@lists.squid-cache.org>
120
122 squid(8) ext_kerberos_ldap_group_acl(8)
123 RFC4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Micro‐
124 soft Windows,
125 RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism,
126 RFC1964 - The Kerberos Version 5 GSS-API Mechanism,
127 The Squid FAQ wiki https://wiki.squid-cache.org/SquidFaq
128 The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
129 https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
130
131
132
133 negotiate_kerberos_auth(8)