source: squid-ssl/trunk/fuentes/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.8 @ 5495

Last change on this file since 5495 was 5495, checked in by Juanma, 2 years ago

Initial release

File size: 5.1 KB
Line 
1.if !'po4a'hide' .TH negotiate_kerberos_auth 8
2.
3.SH NAME
4negotiate_kerberos_auth \- Squid kerberos based authentication helper
5.PP
6Version 3.0.4sq
7.
8.SH SYNOPSIS
9.if !'po4a'hide' .B negotiate_kerberos_auth
10.if !'po4a'hide' .B [\-h] [\-d] [\-i] [\-r] [\-s Service\-Principal\-Name] [\-k Keytab\-Name] [\-c Replay\-Cache\-Directory] [\-t Replay\-Cache\-Type]
11.
12.SH DESCRIPTION
13.B negotiate_kerberos_auth
14is an installed binary and allows Squid to authenticate users via the Negotiate
15protocol and Kerberos. 
16
17.SH OPTIONS
18.if !'po4a'hide' .TP 12
19.if !'po4a'hide' .B \-h
20Display the binary help and command line syntax info using stderr.
21.if !'po4a'hide' .TP 12
22.if !'po4a'hide' .B \-d
23Write debug messages to stderr.
24.if !'po4a'hide' .TP 12
25.if !'po4a'hide' .B \-i
26Write informational messages to stderr.
27.if !'po4a'hide' .TP 12
28.if !'po4a'hide' .B \-r
29Remove realm from username before returning the username to squid.
30.if !'po4a'hide' .TP 12
31.if !'po4a'hide' .B \-s Service\-Principal\-name
32Provide Service Principal Name.
33.if !'po4a'hide' .TP 12
34.if !'po4a'hide' .B \-k Keytab\-Name
35Provide Kerberos Keytab Name (Default: /etc/krb5.keytab)
36.if !'po4a'hide' .TP 12
37.if !'po4a'hide' .B \-c Replay\-Cache\-Directory
38Provide Replay Cache Directory (Default: /var/tmp)
39.if !'po4a'hide' .TP 12
40.if !'po4a'hide' .B \-t Replay\-Cache\-Type
41Provide Replay Cache Type (Default: dfl)
42.
43.SH CONFIGURATION
44.PP
45This helper is intended to be used as an
46.B authentication
47helper in
48.B squid.conf.
49.if !'po4a'hide' .P
50.if !'po4a'hide' .ft CR
51.if !'po4a'hide' .nf
52.if !'po4a'hide' auth_param negotiate program /path/to/negotiate_kerberos_auth
53.if !'po4a'hide' .br
54.if !'po4a'hide' auth_param negotiate children 10
55.if !'po4a'hide' .br
56.if !'po4a'hide' auth_param negotiate keep_alive on
57.if !'po4a'hide' .fi
58.if !'po4a'hide' .ft
59.PP
60.B NOTE:
61The following squid startup file modification may be required:
62
63Add the following lines to the squid startup script to point squid to a keytab file which
64contains the HTTP/fqdn service principal for the default Kerberos domain. The keytab name can
65also be provided by the \-k <keytab name> option. The fqdn must be the proxy name set in IE
66 or firefox. You can not use an IP address.
67
68KRB5_KTNAME=/etc/squid/HTTP.keytab
69export KRB5_KTNAME
70
71If you use a different Kerberos domain than the machine itself is in you can point squid to
72the seperate Kerberos config file by setting the following environmnet variable in the startup
73script.
74
75KRB5_CONFIG=/etc/krb5\-squid.conf
76export KRB5_CONFIG
77
78Kerberos can keep a replay cache to detect the reuse of Kerberos tickets (usually only possible
79in a 5 minute window) . If squid is under high load with Negotiate(Kerberos) proxy authentication
80requests the replay cache checks can create high CPU load. If the environment does not require
81high security the replay cache check can be disabled for MIT based Kerberos implementations by
82adding the below to the startup script or use the \-t none option.
83
84KRB5RCACHETYPE=none
85export KRB5RCACHETYPE
86
87If negotiate_kerberos_auth doesn't determine for some reason the right service principal you can provide
88it with \-s HTTP/fqdn.
89
90If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the
91HTTP.keytab file and use the \-s GSS_C_NO_NAME option with negotiate_kerberos_auth.
92
93.
94.SH AUTHOR
95This program was written by
96.if !'po4a'hide' .I Markus Moeller <markus_moeller@compuserve.com>
97.PP
98This manual was written by
99.if !'po4a'hide' .I Markus Moeller <markus_moeller@compuserve.com>
100.
101.SH COPYRIGHT
102.PP
103 * Copyright (C) 1996\-2014 The Squid Software Foundation and contributors
104 *
105 * Squid software is distributed under GPLv2+ license and includes
106 * contributions from numerous individuals and organizations.
107 * Please see the COPYING and CONTRIBUTORS files for details.
108.PP
109This program and documentation is copyright to the authors named above.
110.PP
111Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
112.
113.SH QUESTIONS
114Questions on the usage of this program can be sent to the
115.I Squid Users mailing list
116.if !'po4a'hide' <squid\-users@squid\-cache.org>
117.
118.SH REPORTING BUGS
119Bug reports need to be made in English.
120See http://wiki.squid\-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
121.PP
122Report bugs or bug fixes using http://bugs.squid\-cache.org/
123.PP
124Report serious security bugs to
125.I Squid Bugs <squid\-bugs@squid\-cache.org>
126.PP
127Report ideas for new improvements to the
128.I Squid Developers mailing list
129.if !'po4a'hide' <squid\-dev@squid\-cache.org>
130.
131.SH SEE ALSO
132.if !'po4a'hide' .BR squid "(8) "
133.if !'po4a'hide' .BR ext_kerberos_ldap_group_acl "(8) "
134.br
135.BR RFC4559 " \- SPNEGO\-based Kerberos and NTLM HTTP Authentication in Microsoft Windows,"
136.br
137.BR RFC2478 " \- The Simple and Protected GSS\-API Negotiation Mechanism,"
138.br
139.BR RFC1964 " \- The Kerberos Version 5 GSS\-API Mechanism,"
140.br
141The Squid FAQ wiki
142.if !'po4a'hide' http://wiki.squid\-cache.org/SquidFaq
143.br
144The Squid Configuration Manual
145.if !'po4a'hide' http://www.squid\-cache.org/Doc/config/
146.if !'po4a'hide' http://wiki.squid\-cache.org/ConfigExamples/Authenticate/Kerberos
Note: See TracBrowser for help on using the repository browser.