Configuring the Squid service for Kerberos authentication

Support

Support for business applications

Kaspersky Web Traffic Security 6.x

Appendix 2. Configuring integration of the Squid service with Active Directory

Configuring Kerberos authentication

Configuring the Squid service for Kerberos authentication

December 13, 2023

ID 166440

These instructions are applicable if Kaspersky Web Traffic Security was installed from an RPM or DEB package to a ready-to-use operating system.

If you are configuring authentication with a domain whose name contains the root domain .local, you must complete the following steps to prepare the operating system for correct Kerberos authentication.

To configure the Squid service for Kerberos authentication:

If you are using the CentOS version 8.x or Red Hat Enterprise Linux version 8.x operating systems, configure a policy for using encryption algorithms. To do so, execute the command:
update-crypto-policies --set LEGACY
Copy the squid.keytab file to the folder /etc/squid/.
Configure access to the keytab file. To do so, run the following commands depending on the utilized operating system:
- CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:
  chown squid:squid /etc/squid/squid.keytab
  
  chmod 400 /etc/squid/squid.keytab
- Ubuntu, Debian, or ALT Server:
  chown proxy:proxy /etc/squid/squid.keytab
  
  chmod 400 /etc/squid/squid.keytab
By default, the owner of the krb5.keytab file is superuser.
Add the following parameters into the beginning of the /etc/squid/squid.conf file, depending on the operating system:
- CentOS or Red Hat Enterprise Linux:
  auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name in uppercase>
  
  auth_param negotiate children 100 startup=0 idle=10
  
  auth_param negotiate keep_alive on
  
  acl authenticated_user proxy_auth REQUIRED
  
  http_access deny !authenticated_user
- SUSE Linux Enterprise Server:
  auth_param negotiate program /usr/sbin/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name in uppercase>
  
  auth_param negotiate children 100 startup=0 idle=10
  
  auth_param negotiate keep_alive on
  
  acl authenticated_user proxy_auth REQUIRED
  
  http_access deny !authenticated_user
- Ubuntu, Debian, or ALT Server:
  auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name in uppercase>
  
  auth_param negotiate children 100 startup=0 idle=10
  
  auth_param negotiate keep_alive on
  
  acl authenticated_user proxy_auth REQUIRED
  
  http_access deny !authenticated_user
If you want to enable logging of events in debug mode, in the /etc/squid/squid.conf file add the -d parameter to the first string.
- CentOS or Red Hat Enterprise Linux:
  auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name>
- SUSE Linux Enterprise Server:
  auth_param negotiate program /usr/sbin/negotiate_kerberos_auth -d -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory in uppercase>
- Ubuntu, Debian, or ALT Server:
  auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name>
Debug events will be written to the file /var/log/squid/cache.log.
If you want to disable the Replay cache, do the following depending on the utilized operating system:
- For CentOS or Red Hat Enterprise Linux, add the following line to the /etc/sysconfig/squid file:
  KRB5RCACHETYPE=none
- For Ubuntu 18.04.х, Debian 9.х, or ALT Server, add the following line to the /etc/default/squid file:
  KRB5RCACHETYPE=none
- For SUSE Linux Enterprise Server 15.x or Debian 10.x:
  1. Create a file named /etc/systemd/system/squid.service.d/override.conf with the following contents:
    [Service]
    
    Environment=KRB5RCACHETYPE=none
  2. Run the following command:
    systemctl daemon-reload
Replay cache is enabled by default.

Replay cache provides more reliable protection, but may reduce the performance of the application.

Cache used in Kerberos technology to store records of user authentication requests. This mechanism helps protect the infrastructure against replay attacks. When employing these types of attacks, hackers record user traffic so that they can replay the user's previously sent messages and thereby successfully complete authentication on the proxy server. When using a replay cache, the authentication server detects the duplicate request and responds by sending an error message.
Restart the Squid service. To do so, execute the command:
service squid restart
On enterprise LAN computers, in the browser settings, specify the fully qualified domain name (FQDN) of the server hosting the Squid service as the proxy server.

The Squid service is now configured to use Kerberos authentication.

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company

Web and device controls. Data encryption. Centralized and convenient management from a single console.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.