Nichewares & Consulting, LLC

 

Setup Squid to use PAM Authentication

This is a very specific howto which assumes the reader has a general knowledge of installing and configuring squid.

Setup squid as a non-transparent proxy. Auth doesn't work with transparent proxying.

Add the following lines in their corresponding locations:
shutdown_lifetime 10 seconds

#this goes at the top of the uncommented auth_param lines
auth_param basic program /usr/lib/squid/pam_auth

# anywhere in the acl list
# only add users below that should be allowed to authenticate and bypass ban times restriction
acl pam_allowed_users proxy_auth user2 user2 user3
acl localnet src 192.168.1.0/24

# the following defines ban times from 7:30 am to 5 pm Mon., Tues., Wed, Thur, Fri. and Sat.
acl ban_times time MTWHFA 07:30-17:00

# in this section to add your own rules for http_access
# the following two line allow users that authenticate, but disallow anyone
#who 1. doesn't authenticate and 2. tries going through squid during ban times
http_access allow pam_allowed_users
http_access deny ban_times
http_access allow localnet

Restart squid and set proxy settings on workstations that should use squid.

Add local users to the squid box but make sure to set their shell to /sbin/nologin

useradd user1 -s /sbin/nologin

Then set each's password.


Locking Down Windows Installs of Mozilla Firefox
------------------------------------------------
Let's say you are the administrator of one or more installations of Mozilla Firefox and you want to lock certain settings/options, so users cannot edit them. For instance you may want to prevent people from changing the proxy setting, the homepage, the ability to save passwords, etc.

It is possible, but it's a little complicated.

First you need to find out what the names are of the preferences you wish to lock. The best way to do this is by entering about:config in the Firefox location bar. Every preference that has been used will appear in the resulting list. You can use the filter field to search for preferences that contain certain words. For instance, if you're looking for the homepage URL setting, just type homepage in the filter field. For more info on preference names, and about:config see:
http://kb.mozillazine.org/About:config

Next, create a file anywhere on your hard drive, called mozilla.txt. Open mozilla.txt in a text editor (Notepad), and begin the first line with two forward slashes. The following lines will contain the preferences you want to lock, and their values. They should be in the same form as you see them in your profile's prefs.js file, with one exception: instead of using user_pref, use lockPref. For instance, if you want to lock the proxy at "direct connection", and lock the homepage at http://www.google.com, the contents of your mozilla.txt file would look like this:
//
lockPref("network.proxy.type", 0);
lockPref("browser.startup.homepage", "http://www.google.com/");

Here's where it gets tricky. The file must be encoded, and renamed. The encoding is a simple "byte-shifting" with an offset of 13. You can download a program that will do this here, or use an online encoder here (http://www.alain.knaff.lu/%7Eaknaff/howto/MozillaCustomization/cgi/byteshf.cgi).

The resulting file should be named mozilla.cfg. Save that in the same directory as firefox.exe.

Last step: In C:\Program Files\Mozilla Firefox\greprefs\ there's a file called all.js. Open all.js in a text editor, and add the following line at the end of it:
pref("general.config.filename", "mozilla.cfg");

Save, close, and start Firefox to test it.

NOTE: Under Ubuntu, you don't need to do the byteshift encoding. Just add your lockdown prefs to
/usr/lib/firefox/firefox.cfg and be sure to end the file with a newline or carriage return.

lockPref("network.proxy.type", 1);
lockPref("network.proxy.share_proxy_settings", true);
lockPref("network.proxy.http", "192.168.1.20");
lockPref("network.proxy.http_port", 3128);

NOTE: Under windows, the mozilla.cfg MUST begin with the line:
//

e.g.
//
lockPref("network.proxy.type", 1);

and I think it needs to end in carriage return as well.

Now obviously, to prevent users from changing these settings, security must be set so that only administrators or certain users have access to change the mozilla.cfg file. Additionally, users might use a different browser all together, so you may have to have drastic firewall rules which forces users through squid.