Summary: | proxy: setting ip limit for authentication causes error message | ||
---|---|---|---|
Product: | IPFire | Reporter: | Peter Müller <peter.mueller> |
Component: | --- | Assignee: | Peter Müller <peter.mueller> |
Status: | CLOSED FIXED | QA Contact: | Michael Tremer <michael.tremer> |
Severity: | Minor Usability | ||
Priority: | Will only affect a few users | CC: | michael.tremer |
Version: | 2 | Keywords: | GoodFirstBug |
Hardware: | all | ||
OS: | All |
Description
Peter Müller
2019-02-06 17:43:34 UTC
This is a bit of a problem here now. It has been deliberately removed that squid caches an IP address from which a user has successfully authenticated. Any consecutive can be sent from the same IP address for N minutes which I regard as a security issue. It is authentication bypass. Any VM or so on a host may take advantage of this as well as other software that does not have credentials like the browser has. The IP limit feature relies on that. So I guess we have to drop that, too? I think that is the better solution out of the two of them. So why is this a GoodFirstBug then? What is your idea to do on this? (In reply to Peter Müller from comment #2) > So why is this a GoodFirstBug then? What is your idea to do on this? Because the check only has to be removed. The input field is no longer available. That would be a simple patch with maybe 4 lines? I see, thanks. After some delay and looking at this more closely, I disagree. Corresponding snipped taken from squid.conf.documented: # acl aclname max_user_ip [-s] number # # This will be matched when the user attempts to log in from more # # than <number> different ip addresses. The authenticate_ip_ttl # # parameter controls the timeout on the ip entries. [fast] # # If -s is specified the limit is strict, denying browsing # # from any further IP addresses until the ttl has expired. Without # # -s Squid will just annoy the user by "randomly" denying requests. # # (the counter is reset each time the limit is reached and a # # request is denied) # # NOTE: in acceleration mode or where there is mesh of child proxies, # # clients may appear to come from multiple addresses if they are # # going through proxy farms, so a limit of 1 may cause user problems. This does not seem to be an authentication bypass, it simply prevents user credentials from being shared and (ab)used at the same time by several clients. In relatively static networks, there is no need for a user credential being used by more than one IP address in parallel, so I actually consider this being a security feature. Or am I misguided again? Okay, what is your proposed solution? To fix this so IP addresses per user can be limited again. |