Re: [squid-users] providing a secure basic authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 23 Sep 2004 13:45:34 +0200 (CEST)

On Thu, 23 Sep 2004, Alex Sharaz wrote:

> Still, I'll have a play and see what we can do. It would be better if there
> was some way of not having to install something on the client.

There is, but as already noted in this thread when combining different
authentication systems the end result is the most common denominator of
all the systems involved. Since you need to use a radius backend the proxy
needs to have the password in plain text and this limits authentication to
plain text as none of the more secure challenge-response based schemes can
be used.

The only way available to protect plain text is by encryption, but to use
encryption both endpoints needs to support the use of encryption. Without
encryption support at the client endpoint it is a bit hard..

Some Radius servers support Digest authentication, but unfortunately not
exacly the type used by HTTP authentication and in addition the Digest
authenticator interface of Squid can not make use of this (yet)..

Regards
Henrik
Received on Thu Sep 23 2004 - 05:45:36 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT