Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
negotiate_kerberos_auth(8)  System Manager's Manual negotiate_kerberos_auth(8)

NAME
       negotiate_kerberos_auth - Squid kerberos	based authentication helper

       Version 3.0.4sq

SYNOPSIS
       negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]
       [-k Keytab-Name]	[-c Replay-Cache-Directory] [-t	Replay-Cache-Type]

DESCRIPTION
       negotiate_kerberos_auth	is an installed	binary and allows Squid	to au-
       thenticate users	via the	Negotiate protocol and Kerberos.

OPTIONS
       -h	   Display the binary help and command line syntax info	 using
		   stderr.

       -d	   Write debug messages	to stderr.

       -i	   Write informational messages	to stderr.

       -r	   Remove realm	from username before returning the username to
		   squid.

       -s Service-Principal-name
		   Provide Service Principal Name.

       -k Keytab-Name
		   Provide Kerberos Keytab Name	(Default: /etc/krb5.keytab)

       -c Replay-Cache-Directory
		   Provide Replay Cache	Directory (Default: /var/tmp)

       -t Replay-Cache-Type
		   Provide Replay Cache	Type (Default: dfl)

CONFIGURATION
       This  helper  is	 intended  to  be  used	as an authentication helper in
       squid.conf.

       auth_param negotiate program /path/to/negotiate_kerberos_auth
       auth_param negotiate children 10
       auth_param negotiate keep_alive on

       NOTE: The following squid startup file modification may be required:

       Add the following lines to the squid startup script to point squid to a
       keytab file which contains the HTTP/fqdn	service	principal for the  de-
       fault  Kerberos	domain.	The keytab name	can also be provided by	the -k
       <keytab name> option. The fqdn must be the proxy	name set in IE
	or firefox. You	can not	use an IP address.

       KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME

       If you use a different Kerberos domain than the machine	itself	is  in
       you can point squid to the separate Kerberos config file	by setting the
       following environment variable in the startup script.

       KRB5_CONFIG=/etc/krb5-squid.conf	export KRB5_CONFIG

       Kerberos	 can keep a replay cache to detect the reuse of	Kerberos tick-
       ets (usually only possible in a 5 minute	window)	. If  squid  is	 under
       high  load  with	 Negotiate(Kerberos) proxy authentication requests the
       replay cache checks can create high CPU load. If	the  environment  does
       not  require  high  security the	replay cache check can be disabled for
       MIT based Kerberos implementations by adding the	below to  the  startup
       script or use the -t none option.

       KRB5RCACHETYPE=none export KRB5RCACHETYPE

       If  negotiate_kerberos_auth doesn't determine for some reason the right
       service principal you can provide it with -s HTTP/fqdn.

       If you serve multiple Kerberos realms  add  a  HTTP/fqdn@REALM  service
       principal   per	 realm	 to  the  HTTP.keytab  file  and  use  the  -s
       GSS_C_NO_NAME option with negotiate_kerberos_auth.

AUTHOR
       This  program  was  written  by	Markus	Moeller	  <markus_moeller@com-
       puserve.com>

       This   manual   was  written  by	 Markus	 Moeller  <markus_moeller@com-
       puserve.com>

COPYRIGHT
	* Copyright (C)	1996-2014 The Squid Software Foundation	and  contribu-
       tors
	*
	* Squid	software is distributed	under GPLv2+ license and includes
	* contributions	from numerous individuals and organizations.
	* Please see the COPYING and CONTRIBUTORS files	for details.

       This program and	documentation is copyright to the authors named	above.

       Distributed under the GNU General Public	License	(GNU GPL) version 2 or
       later (GPLv2+).

QUESTIONS
       Questions  on  the usage	of this	program	can be sent to the Squid Users
       mailing list <squid-users@lists.squid-cache.org>

REPORTING BUGS
       Bug    reports	 need	 to    be    made     in     English.	   See
       https://wiki.squid-cache.org/SquidFaq/BugReporting  for details of what
       you need	to include with	your bug report.

       Report bugs or bug fixes	using http://bugs.squid-cache.org/

       Report	  serious      security	     bugs      to      Squid	  Bugs
       <squid-bugs@lists.squid-cache.org>

       Report  ideas for new improvements to the Squid Developers mailing list
       <squid-dev@lists.squid-cache.org>

SEE ALSO
       squid(8)	ext_kerberos_ldap_group_acl(8)
       RFC4559 - SPNEGO-based Kerberos and NTLM	 HTTP  Authentication  in  Mi-
       crosoft Windows,
       RFC2478 - The Simple and	Protected GSS-API Negotiation Mechanism,
       RFC1964 - The Kerberos Version 5	GSS-API	Mechanism,
       The Squid FAQ wiki https://wiki.squid-cache.org/SquidFaq
       The  Squid  Configuration Manual	http://www.squid-cache.org/Doc/config/
       https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

						    negotiate_kerberos_auth(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=negotiate_kerberos_auth&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help