You can use Ident to identify your users based on log in name. This simplifies management so you don't have to go around matching IP addresses to computers. Of course it also allows you to add users to groups based on their username.
Using Ident for user authentication has several benefits over the SSL or proxy login methods - primarily that the user does not need to enter username and password credentials to access DansGuardian. Instead, an Ident server running on the client system will automatically provide the Windows username to DansGuardian.
One disadvantage is the ident protocol is very easy for a user who's broken an end user computer (or brought a computer in from home) to “spoof”. If your user population is quite hostile, the minimal security provided by ident auth may not be acceptable.
Another disadvantage is if DansGuardian can't contact what should be an extant Ident daemon, DansGuardian processing will be delayed for an unacceptably long time (perhaps several minutes). This is normally not a problem where you control all the end user computers, provided you rigorously follow these two recommendations:
- Allow port 113 through all internal software firewalls. Don't treat the “Windows Firewall” as nothing more than a simple “all on” or “all off” capability; you may need to explicitly allow port 113 even though the firewall is “on”. To do this you may need to select buttons or tabs labelled with things like [Exceptions] or [Advanced].
- Allow port 113 through all internal network infrastructure devices (hubs, routers, etc.). Some network infrastructure devices by default allow all traffic indiscriminately, but others either by default or because of specific (but probably forgotten) settings, disallow “uncommon” types of traffic, which unfortunately often includes port 113 traffic.
(Obviously, software firewalls on computers brought in from home may incorrectly firewall port 113 beyond your control. In this situation, “ident” auth may not be suitable, as its use may always be problematic no matter what you do.)
In case you want to know the technical details: DansGuardian operation using ident auth will proceed immediately and correctly so long as either connections reach a legitimate ident daemon or are rejected by a network packet with the RST bit set. But DansGuardian operation using ident auth will be dramatically delayed and jerky if it receives absolutely no response at all (not even a RST) to its port 113 traffic (or if if connects to a faulty ident daemon which later becomes unresponsive - fortunately this is very uncommon).
Note that unlike earlier versions of Windows, Windows Vista and Windows 7 no longer reject packets sent to port 113 if no running Ident server is found. This will result in no website being displayed in the browser. Consequently all machines must have an Ident server installed if you use Ident on your network.
In order to use Ident for authentication, an Ident daemon/server application must be installed on all workstation computers. Here are some Ident servers that can be installed on your workstations:
- Windows Ident Server 2.0 (Windows XP, 2003, Vista, Server 2008) (22 June 2008) - http://rndware.info/products/windows-ident-server.html - Seems to run under Windows 7. Does not pull up actual username when running as a service - instead it shows the username of the user running the service (usually “system”)
- Retina Scan IDENT (Last Update: vsn 0.3.0 08 Aug 2009) - https://sourceforge.net/projects/retinascan - supports fast user switching. Works on Vista but not Windows 7. Does not pull up actual username when running as a service - instead it shows the username of the user running the service (usually “system”)
- Identdwin (Last Update: 2003) - http://identdwin.sourceforge.net/identd-en.html. Although not updated for many years, this supports fast user switching on Windows 7 if you install the “NT” version in the download.
- Microsoft Windows XP/2000/NT - http://freeware.teledanmark.no/identd (no longer available)
- Microsoft Windows 9x - http://identd.sourceforge.net
- Apple OS-X 10.0-10.2 - ident server is included in the OS - see below.
- Apple OS-X 10.3 and higher - http://www.macmax.org/rubrique.php3?id_rubrique=21
On Windows 9x machines, simply extract the identd.exe program (link provided above) and set it to run via the Registry Run key or via a network login script. You will need to run it as follows:
identd.exe -n -r 0
- The -n turns off port-based security which means that it will return an answer no matter where the request is coming from (thus breaking RFC-compliancy, but hey, it works).
- The -r 0 returns the actual username of the person currently logged into the machine.
Note: Make sure that if you have a firewall enabled on your workstations (such as the one included in windows XP SP2) that you allow ident (port 113 - TCP) through the firewall.
On Windows XP/2000/NT just run “identd -install” as an administrator and double-check the Services applet in Control Panel to make sure it loads automatically at boot. This daemon answers all ident requests with the userid of the person currently logged on.
Neither of the above will work with multi-user systems like Windows Terminal Server, Citrix Metaframe and the like, and might have problems with XP and “fast user switching”. Retina Scan Identd is written to support “fast user switching” and from version 0.3.0 supports Windows Vista and XP.
Once installed, the Ident service must be manually started or the client system rebooted.
For Unix systems where only a single user will be logged in at a time, you can use oidentd and set it up to return a user-specified string of “USERID : <OS> : <USERNAME>” where <USERNAME> is taken from an environment variable in a startup script. This isn't fool-proof, nor perfect, but it works.
OS-X prior to version 10.3 includes an ident client. If you are running version 10.3 or higher (Panther/Tiger), you can download an Ident client for OS-X at the following website:
DansGuardian can then be configured to use Ident authentication in the dansguardian.conf file.
# Auth plugins # These replace the usernameidmethod* options in previous versions. They # handle the extraction of client usernames from various sources, such as # Proxy-Authorisation headers and ident servers, enabling requests to be # handled according to the settings of the user's filter group. # Multiple plugins can be specified, and will be queried in order until one # of them either finds a username or throws an error. For example, if Squid # is configured with both NTLM and Basic auth enabled, and both the 'proxy-basic' # and 'proxy-ntlm' auth plugins are enabled here, then clients which do not support # NTLM can fall back to Basic without sacrificing access rights. # # If you do not use multiple filter groups, you need not specify this option. # #authplugin = '/etc/dansguardian-av/authplugins/proxy-ntlm.conf' #authplugin = '/etc/dansguardian-av/authplugins/proxy-basic.conf' authplugin = '/etc/dansguardian-av/authplugins/ident.conf' #authplugin = '/etc/dansguardian-av/authplugins/ip.conf'
# Username identification methods (used in logging) # You can have as many methods as you want and not just one. The first one # will be used then if no username is found, the next will be used. # * proxyauth is for when basic proxy authentication is used (no good for # transparent proxying). # * ntlm is for when the proxy supports the MS NTLM authentication # protocol. (Only works with IE5.5 sp1 and later). **NOT IMPLEMENTED** # * ident is for when the others don't work. It will contact the computer # that the connection came from and try to connect to an identd server # and query it for the user owner of the connection. usernameidmethodproxyauth = off usernameidmethodntlm = off # **NOT IMPLEMENTED** usernameidmethodident = on