Ilya wrote:
>> Maybe i am being a bad person, but everything (and more) you need to
>> know about digest is in the RFC, they can be found on:
>>
>> HTTP basic and Digest auth: http://www.ietf.org/rfc/rfc2617.txt
>
>
> Thanks, I`ll read. But it is more interesting: how can I tune squid to
> use digest authentication?
> And one more. If squid was tuned to use digest auth, then it
> saves/looks for username/password in its database. Or am I wrong? You
> know, in my situation username/password are stored on LDAP server, and
> squid checks them using external program(authentication_program)
That is my setup, but i can't use digest, because squid needs access to
the plaintext password, and our LDAP database stores only encrypted
passwords :-(.
If you check the Digest auth script on "helpers/digest_auth/password"
from squid 2.5S1 source code, you can see in the last lines:
DigestCalcHA1("md5", user, realm, u->passwd, NULL, NULL,
HA1, HHA1);
printf("%s\n", HHA1);
With the DigestCalcHA1, the script creates a hash and sends it to the
proxy (the user, realm and u->password (user password) are all in plaintext.
If the hash is equal to the client generated hash, then the request is
allowed.
> wbr
> Ilya.
That is my problem, how to generate the hash for a user without knowing
it's password ?
I'd love to help develop a digest auth with an LDAP backend, does anyone
have any ideas ?
Jose Araujo
Received on Thu Nov 21 2002 - 09:40:06 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:26 MST