-------------------------------------------------------------------------------- readme.txt is the squid_kerb_auth read-me file. Author: Markus Moeller (markus_moeller at compuserve.com) Copyright (C) 2007 Markus Moeller. All rights reserved. -------------------------------------------------------------------------------- squid_kerb_auth Read Me Markus Moeller May 12, 2007 1 Introduction squid_kerb_auth is a reference implementation that supports authentication via the Negotiate RFC 4559 for proxies. It decodes RFC 2478 SPNEGO GSS-API tokens from IE7 either through helper functions or via SPNEGO supporting Kerberos libraries and RFC 1964 Kerberos tokens from Firefox on Linux. Currently, squid_kerb_auth supports Squid 2.6 on Linux. squid_auth_kerb requires either MIT or Heimdal Kerberos libraries and header files. 2 Building and Installation Run ./configure for help use ./configure --help Copy the helper squid_kerb_auth to an apropriate directory. 3 Configuration a) Configure IE or Firefox to point to the squid proxy by using the fqdn. IE and Firefox will use the fqdn to query for a HTTP/fqdn Kerberos service principal. b) Create a keytab which contains the HTTP/fqdn Kerberos service principal and place it into a directory where the squid run user can read the keytab. c) Add the following line to squid.conf auth_param negotiate program /usr/sbin/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on d) Modify squid startup file Add the following lines to the squid startup script to point squid to a keytab file which contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be the proxy name set in IE or firefox. You can not use an IP address. KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME If you use a different Kerberos domain than the machine itself is in you can point squid to the separate Kerberos config file by setting the following environment variable in the startup script. KRB5_CONFIG=/etc/krb-squid5.conf export KRB5_CONFIG 4 Miscellaneous If squid_kerb_auth doesn't determine for some reason the right service principal you can provide it with -s HTTP/fqdn. If you serve multiple Kerberos realms add a HTTP/fqdn@REALM service principal per realm to the HTTP.keytab file and use the -s GSS_C_NO_NAME option with squid_kerb_auth.