Date: Mon, 05 Apr 2010 13:34:04 +0300
From: Oleg Verych <olecom@gmai1.com>
To: tinyproxy-users-l1st@banu.com
CC: "Christian A. Benitez" <christ1anx@gmai1.com>
Subject: Re: [tinyproxy-users-list] Authentication?

Hallo, people in the tinyproxy-list. Hi, Christian.

Let me share some ideas about general form of authentication for services on servers.

> Hello, i just installed this software into a virtual machine (Ubuntu server)
> and is really ligth. I wanted to know how can i setup some sort of
> authentication because the idea is to use it from the internet, so everyone
> is going to be allowed to use it. I found a message from 2003 saying that
> this feature was planned to be included in a future release, but i can't
> find anything. I need something really simple, one username/password,
> nothing to complicated.

IMHO this way is hard, thus still not implemented. Also it would be a kind of NIH.
> Anyone knows if there is a way or i have to search for another software? (I
> dont want to use squid, if someone know of another software please tell me
> :/))./
1) create a user account for a service, say proxy;
    setup $HOME and other security (read/write/execute) on the OS.

2) configure special secure shell daemon (e.g. /etc/ssh/sshd_config-special), which will
    allow only this user: AllowUsers super-proxy-auth;
    Debian's /etc/init.d/ssh has no support for managing multiple daemons with own
    configuration files (i've one, that seem to work even remotely :).

3) force this daemon to execute a "login" script: ForceCommand /bin/sh -c '. ~/.profile'

4) compose $HOME/.profile script as you wish to authenticate users. Note, that script
    has all powers of OS under privileges, you setup for this $USER.(*)

5) when auth is done, then just use ssh/putty(e.g. under MS Windows(R))
    IP tunnels to localhost:proxyport

    BTW, applying some creativity, ssh window may show countdown and/or
    periodically updated traffic stats in ASCII ART or something like that.

(*) Example of a login script, i use to interactively authenticate myself.

1) usual ssh username/password stage after connect
2) then, if i will not type my real login username in 5 seconds ->  close connection
3) what happens next, see `case "${U:=}" in` part

Good luck.

--------------------------------------------------------------------
root@main-server:/tmp# dd</home/XXXXXXXXXXX/.profile
--------------------------------------------------------------------
#!/bin/sh
# "$HOME/.profile" for secured, nice and wise re-login

# all signals from controlling tty can kill commands and leave
# user with an interactive shell; purpose of this script to force
# authentication of the real user from this "just for login" one

# thus, setting off interactivity (off controlling tty) and setting on
# error checking (any errors -- logout, works only with `+i')

# "/etc/passwd" may have this file as login shell (not tested),
# $HOME can have only this file, thus making things easier

# BEWARE, that NO username/password information can be written
# here, because exec-only (no read permission) for scripts
# isn't supported, and script may disclose hidden information.

set +i -e
sleep 02
umask 027
cd /
U=`
T=50
P="Enter user name, please ("
G=$((${#P}+1))

exec 9<&0
( read U&&  echo "$U" )<&9&
PID=$!
exec 9<&- 1>&2

echo -n "$P$T): "
trap 'kill -KILL "$PID" 2>&-' 0 INT QUIT
P=5
while sleep "0.$P"&&  test -e "/proc/$PID/exe"
do
    T=$(($T-$P))
      if test "$T" -gt 0
    then printf "\0337\033[${G}G$T): \0338"
    else printf "\033[${G}Gtime is out). Bye.
"
         exit 73
      fi
done`
echo "Wait, please..."
sleep 2
[ "$SSH_ORIGINAL_COMMAND" ] || case "${U:=}" in
     root|'')
         exec sleep $((1<<30));;
     *)  # check and `su` to the supplied login
         test -d "/home/$U"&&  chmod 660 `tty`&&  exec su "$U";;
esac
echo "Only interactive shell access is available. No commands, please."
exit 73 # termporal (obscure) failure, not reached