On 26/05/11 01:36, Maximiliano de Mattos wrote:
> Hi... :)
>
> I use squid v2.7 with ldap_auth autentication storing password as ssha hash.
>
> Now, i want to have digest ldap autentication, so i recompile squid
> and configure auth_param to use this helper and configure them.
>
> So, testing digest_ldap_auth, all are ok (or i think) :)
>
<snip>
>
> ¿The password value must be stored on ldap server in clear text mode? :(
Yes. Seems to be a flaw in LDAP digest implementation.
If you are lucky your LDAP server will have reversible encryption of the
passwords for storage, to improve a bit over open plain text storage.
But Digest-MD5 requires each end to know the plain-text version of the
password in order to hash and validate the nonce tokens.
> ¿How squid manage encrypted passwords with digest method?
Squid is not aware of the passwords. Just a nonce token that gets passed
around. Squid acts like a blind relay between the client browser and
auth server. This is true for all auth methods Squid supports.
> ¿Any other ideas?
If you want better security than digest look at Kerberos. Which is fully
encrypted with tokens not related to the password.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1Received on Thu May 26 2011 - 13:40:29 MDT
This archive was generated by hypermail 2.2.0 : Thu May 26 2011 - 12:00:03 MDT