Squid GSSAPI Negotiate Authentication Helper Authors: + Moritz Bechler (mbechler@eenterphace.org) License: + GNU GPL + New BSD License for the base64 implementation (from modp.com) Licensing details: The licensing part is not optimal at the moment. I had to use another base64 implementation because of problems concerning squid's implementation which is unfortunatly licensed under BSD License which is incompatible with the GPL. Description: This helper enables the use of Negotiate/SPNEGO single-sign-on without the need for Windows based servers doing the authentication. It is limited in the way that most it does not support NTML but only Kerberos authentication. Usage: + Determine the fully-qualified name of your proxy server. (a reverse lookup must return this name) + Add a service principal to your kerberos realm which is named HTTP/, export it to some keytab readable by your squid user. + Add the following to your squid.conf: auth_param negotiate program /usr/local/bin/auth_negotiate_gss_helper /etc/squid/squid.keytab HTTP@ where /etc/squid/squid.keytab is the keytab file you exported above and is replaced with your real server name. (Please note that the principal is given in GSS format, using @ instead of /) You might add "-d" to the command line to get debugging output. + Optional: Adjust the number of started helpers + Configure your browser to allow Negotiate authentication for proxies. + If everything is configured correctly you should be able to enjoy browsing now without having to type your password. Ideas/Todo: + At the moment the complete authenticated principal (including realm) is returned. Maybe we should allow stripping of the local realm, as this might cause trouble with other helpers (e.g. group lookup from ldap). Pitfalls: + Microsoft's Internet Explorer falls back to NTLM authentication when SPNEGO fails (even though you might be sending the Basic method as fallback) - this behaviour totally sucks. You really should not use Internet Explorer with this authentication method.