Firewall Wizards mailing list archives
Re: Protocols supporting proxy auth?
From: Carson Gaspar <carson () taltos org>
Date: Fri, 09 Feb 2001 17:08:55 -0800
--On Thursday, February 08, 2001 12:23 AM +0300 ark () eltex ru wrote: (Matthew Kirkwood):
Is there a reference anywhere for protocols (or protocol abuses) which support proxy authentication?
POP,No.IMAPI don't think it will work, at least even if it is possible standard clients do not support it.and maybe others.Some interactive protocols like irc can work this way, but the general answer is No. If you really need that, the only solutions i am aware of are protocol wrappers/modification (socks5 alone is no good because its authentication is weak if you don't use kerberos) and out-of-band authentication (like it is implemented in Gauntlet ck-gw).
This is not strictly true. Since Matthew included protocol abuses as an option, it is possible to do this with POP and IMAP. One possible scenario, using clear-text authentication:
usernames are of the form localuser:remoteuser passwords are of the form localpass:remotepassThe proxy would have to force the auth methods advertised to only include cleartext options, and users would not be able to use colons in their local usernames or passwords.
Another option would be for the proxy to eat the first auth attempt, return a failure code, and then pass the next attempt to the actual server. Again, it would have to mangle the auth type advertisement, but it could possibly include some non-plain-text alternatives. It also runs the risk that the client may disconnect after one attempt, or not allow differing usernames.
Yet another option is for the proxy to become a secure password store. Users authenticate to the proxy, and the proxy authenticates to the server using their stored information. If you don't want long-lived auth data on the proxy, the users could connect twice - once with their actual auth info (in plaintext) which the proxy caches, and then again with the proxy auth info, at which point the proxy replays the first set of auth data to the server.
So it can be done, but it is non-trivial to do well. In general, an out-of-band mechanism (VPN to the proxy server, a secure form of identd, etc.) is easier and more flexible, but more intrusive.
-- Carson Gaspar - carson () taltos org Queen trapped in a butch body _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Protocols supporting proxy auth? Matthew Kirkwood (Feb 07)
- Re: Protocols supporting proxy auth? ark (Feb 08)
- Re: Protocols supporting proxy auth? Carson Gaspar (Feb 11)
- <Possible follow-ups>
- Re: Protocols supporting proxy auth? Jeff . Hodges (Feb 08)
- Re: Protocols supporting proxy auth? ark (Feb 08)
- RE: Protocols supporting proxy auth? LeGrow, Matt (Feb 08)
- Re: Protocols supporting proxy auth? ark (Feb 08)