Configuring the Squid service for Kerberos authentication

These instructions are applicable if Kaspersky Web Traffic Security was installed from an RPM or DEB package to a ready-to-use operating system.

If you are configuring authentication with a domain whose name contains the root domain .local, you must complete the following steps to prepare the operating system for correct Kerberos authentication.

To configure the Squid service for Kerberos authentication:

1. If you are using the CentOS version 8.x or Red Hat Enterprise Linux version 8.x operating systems, configure a policy for using encryption algorithms. To do so, execute the command:

   update-crypto-policies --set LEGACY

2. Copy the squid.keytab file to the folder /etc/squid/.
3. Configure access to the keytab file. To do so, run the following commands depending on the utilized operating system:
   • CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:

     chown squid:squid /etc/squid/squid.keytab

     chmod 400 /etc/squid/squid.keytab

   • Ubuntu, Debian, or ALT Server:

     chown proxy:proxy /etc/squid/squid.keytab

     chmod 400 /etc/squid/squid.keytab

   By default, the owner of the krb5.keytab file is superuser.

4. Add the following parameters into the beginning of the /etc/squid/squid.conf file, depending on the operating system:
   • CentOS or Red Hat Enterprise Linux:

     auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name in uppercase>

     auth_param negotiate children 100 startup=0 idle=10

     auth_param negotiate keep_alive on

     acl authenticated_user proxy_auth REQUIRED

     http_access deny !authenticated_user

   • SUSE Linux Enterprise Server:

     auth_param negotiate program /usr/sbin/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name in uppercase>

     auth_param negotiate children 100 startup=0 idle=10

     auth_param negotiate keep_alive on

     acl authenticated_user proxy_auth REQUIRED

     http_access deny !authenticated_user

   • Ubuntu, Debian, or ALT Server:

     auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name in uppercase>

     auth_param negotiate children 100 startup=0 idle=10

     auth_param negotiate keep_alive on

     acl authenticated_user proxy_auth REQUIRED

     http_access deny !authenticated_user

5. If you want to enable logging of events in debug mode, in the /etc/squid/squid.conf file add the -d parameter to the first string.
   • CentOS or Red Hat Enterprise Linux:

     auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name>

   • SUSE Linux Enterprise Server:

     auth_param negotiate program /usr/sbin/negotiate_kerberos_auth -d -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory in uppercase>

   • Ubuntu, Debian, or ALT Server:

     auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -d -k /etc/squid/squid.keytab -s HTTP/<name of the server hosting the Squid service>@<realm Active Directory domain name>

   Debug events will be written to the file /var/log/squid/cache.log.

6. If you want to disable the Replay cache, do the following depending on the utilized operating system:
   • For CentOS or Red Hat Enterprise Linux, add the following line to the /etc/sysconfig/squid file:

     KRB5RCACHETYPE=none

   • For Ubuntu 18.04.х, Debian 9.х, or ALT Server, add the following line to the /etc/default/squid file:

     KRB5RCACHETYPE=none

   • For SUSE Linux Enterprise Server 15.x or Debian 10.x:
     1. Create a file named /etc/systemd/system/squid.service.d/override.conf with the following contents:

        [Service]

        Environment=KRB5RCACHETYPE=none

     2. Run the following command:

        systemctl daemon-reload

   Replay cache is enabled by default.

   Replay cache provides more reliable protection, but may reduce the performance of the application.

   Cache used in Kerberos technology to store records of user authentication requests. This mechanism helps protect the infrastructure against replay attacks. When employing these types of attacks, hackers record user traffic so that they can replay the user's previously sent messages and thereby successfully complete authentication on the proxy server. When using a replay cache, the authentication server detects the duplicate request and responds by sending an error message.

7. Restart the Squid service. To do so, execute the command:

   service squid restart

8. On enterprise LAN computers, in the browser settings, specify the fully qualified domain name (FQDN) of the server hosting the Squid service as the proxy server.

The Squid service is now configured to use Kerberos authentication.

Page top