Transparent Squid Auth with SquidtrustIII
-
Answering a question posted in another thread.
https://forum.pfsense.org/index.php?topic=58700.90
This is certainly easier to setup and I am impressed with your solution. However this model does not appear to have any protection from easily being spoofed by a rouge user? ie a user could claim to be someone they are not.
All depends on how it is configured and what information you are questioning the agent for.
If you setup the Auth helper to just query for standard "Windows Username", then it just queries the local Windows "USERNAME" variable.
This could probably be spoofed fairly easily.However, if you query the agent for the current Active Directory user, or current Netware User, the process is a bit more complicated, and thus becomes much more difficult for a user to spoof.
ie: to get the basic Netware username I make a call to the calwin32.dll and netwin32.Dll, dll files that come with the Novell Client32. Bit of work would be required to spoof those. :-)
For AD Integration I use a small VBS script :
Option Explicit Dim objNetwork, strDomain, strUser, objUser, objGroup, strGroupMemberships ' Get the domain and username from the WScript.Network object Set objNetwork = CreateObject("WScript.Network") strDomain = objNetwork.UserDomain strUser = objNetwork.UserName ' Instanciate the user object from the data above Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser) ' Run through the users groups and put them in the string For Each objGroup In objUser.Groups strGroupMemberships = strGroupMemberships & objGroup.Name & "," Next 'MsgBox strUser &" " &strGroupMemberships result = strUser 'MsgBox strUseras you can see from the above, I am pulling info from the Domain objUser. Again….a bit more difficult to spoof.
Could a user theoretically do it ?
Sure.If you're that concerned about security, add another layer of security (or two....or three)....
You could start auditing and/or log the machine IP and username at the initial time of login.
This would tie a user to a workstation at a specific time.
That way if they changed the username after a login, it could be traced.or....
Start punishing those that try and circumvent you network security.
-
I totally understand the balance between security and over-cautiousness etc, just wanting to understand specifically what the vulnerabilities are so that the solution can be used in the correct circumstance. (for everything, a time and place) :-)
To that end, I don't see why it should matter where you are pulling the active directory or netware username from. The interaction with the server is simply to respond with a string containing the username. A spoof script just has to reply with the string containing another username and doesn't need to check any dll's etc..
-
Ha!
To true….in my circumstances, i don't worry about users writing their own code....my mind doesn't go there.change the username on the workstation? ...maybe. write their own code to respond with a different username?...naaaa.....not gonna happen.
Much easier just to shoulder surf someone and get their credentials.
Coding would actually require a little ambition and work.The code is open source, you are free to modify the code in any way you see fit.
A few lines of code here and there and you could add hashes, keys (salts), and any other tricky stuff you can come up with, to make it as secure as you need it to be.
All depends of how much work you want to put into it. -
It does something really similar to ident authentication squid helper with additional group info.
Good alternative for non security critical environments.
Thanks for sharing :)
-
Hello all,
I am not an expert in any of this by no means so can someone help with setting the helper to pull attributes from AD or else just the username ip/hostname of the machine?
I simply need this for accounting. To see who is who and doing what. Security is not that big of any issue.
Thanks.
