Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
negotiate_kerberos_auth(8)  System Manager's Manual negotiate_kerberos_auth(8)

NAME
       negotiate_kerberos_auth - Squid kerberos	based authentication helper

       Version 3.0.4sq

SYNOPSIS
       negotiate_kerberos_auth [-h] [-d] [-i] [-r] [-s Service-Principal-Name]
       [-k Keytab-Name]	[-c Replay-Cache-Directory] [-t	Replay-Cache-Type]

DESCRIPTION
       negotiate_kerberos_auth is an installed binary and allows Squid to  au-
       thenticate users	via the	Negotiate protocol and Kerberos.

OPTIONS
       -h	   Display  the	binary help and	command	line syntax info using
		   stderr.

       -d	   Write debug messages	to stderr.

       -i	   Write informational messages	to stderr.

       -r	   Remove realm	from username before returning the username to
		   squid.

       -s Service-Principal-name
		   Provide Service Principal Name.

       -k Keytab-Name
		   Provide Kerberos Keytab Name	(Default: /etc/krb5.keytab)

       -c Replay-Cache-Directory
		   Provide Replay Cache	Directory (Default: /var/tmp)

       -t Replay-Cache-Type
		   Provide Replay Cache	Type (Default: dfl)

CONFIGURATION
       This  helper  is	 intended  to  be  used	as an authentication helper in
       squid.conf.

       auth_param negotiate program /path/to/negotiate_kerberos_auth
       auth_param negotiate children 10
       auth_param negotiate keep_alive on

       NOTE: The following squid startup file modification may be required:

       Add the following lines to the squid startup script to point squid to a
       keytab  file which contains the HTTP/fqdn service principal for the de-
       fault Kerberos domain. The keytab name can also be provided by  the  -k
       <keytab name> option. The fqdn must be the proxy	name set in IE
	or firefox. You	can not	use an IP address.

       KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME

       If  you	use  a different Kerberos domain than the machine itself is in
       you can point squid to the separate Kerberos config file	by setting the
       following environment variable in the startup script.

       KRB5_CONFIG=/etc/krb5-squid.conf	export KRB5_CONFIG

       Kerberos	 can keep a replay cache to detect the reuse of	Kerberos tick-
       ets (usually only possible in a 5 minute	window)	. If  squid  is	 under
       high  load  with	 Negotiate(Kerberos) proxy authentication requests the
       replay cache checks can create high CPU load. If	the  environment  does
       not  require  high  security the	replay cache check can be disabled for
       MIT based Kerberos implementations by adding the	below to  the  startup
       script or use the -t none option.

       KRB5RCACHETYPE=none export KRB5RCACHETYPE

       If  negotiate_kerberos_auth doesn't determine for some reason the right
       service principal you can provide it with -s HTTP/fqdn.

       If you serve multiple Kerberos realms  add  a  HTTP/fqdn@REALM  service
       principal   per	 realm	 to  the  HTTP.keytab  file  and  use  the  -s
       GSS_C_NO_NAME option with negotiate_kerberos_auth.

AUTHOR
       This  program  was  written  by	Markus	Moeller	  _markus_moeller@com-
       puserve.com_

       This   manual   was  written  by	 Markus	 Moeller  _markus_moeller@com-
       puserve.com_

COPYRIGHT
	* Copyright (C)	1996-2014 The Squid Software Foundation	and  contribu-
       tors
	*
	* Squid	software is distributed	under GPLv2+ license and includes
	* contributions	from numerous individuals and organizations.
	* Please see the COPYING and CONTRIBUTORS files	for details.

       This program and	documentation is copyright to the authors named	above.

       Distributed under the GNU General Public	License	(GNU GPL) version 2 or
       later (GPLv2+).

QUESTIONS
       Questions on the	usage of this program can be sent to the  Squid	 Users
       mailing list <squid-users@squid-cache.org>

REPORTING BUGS
       Bug     reports	   need	    to	  be	made	in    English.	   See
       http://wiki.squid-cache.org/SquidFaq/BugReporting for details  of  what
       you need	to include with	your bug report.

       Report bugs or bug fixes	using http://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs _squid-bugs@squid-cache.org_

       Report  ideas for new improvements to the Squid Developers mailing list
       <squid-dev@squid-cache.org>

SEE ALSO
       squid(8)	ext_kerberos_ldap_group_acl(8)
       RFC4559 - SPNEGO-based Kerberos and NTLM	HTTP Authentication in	Micro-
       soft Windows,
       RFC2478 - The Simple and	Protected GSS-API Negotiation Mechanism,
       RFC1964 - The Kerberos Version 5	GSS-API	Mechanism,
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The  Squid  Configuration Manual	http://www.squid-cache.org/Doc/config/
       http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

						    negotiate_kerberos_auth(8)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | CONFIGURATION | AUTHOR | COPYRIGHT | QUESTIONS | REPORTING BUGS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=negotiate_kerberos_auth&sektion=8&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help