Re: [squid-users] squid + digest ldap + password

From: Maximiliano de Mattos <azamax_at_gmail.com>
Date: Thu, 26 May 2011 13:00:07 -0300

thanks Amos!

Now, i try with squid v3, if i remember ok i think i saw a post on
that this version can manage hashed pwds... but now i can't find them
:(
In other way i thinking to implement a helper thats make these
autentication (taking user + password in clear text as parameters) and
if this is correct, return to digest the result of MD5(user:realm:pwd
in clear text mode)... or ERR in other case...

thanks again!

2011/5/26 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 26/05/11 01:36, Maximiliano de Mattos wrote:
>>
>> Hi...  :)
>>
>> I use squid v2.7 with ldap_auth autentication storing password as ssha
>> hash.
>>
>> Now, i want to have digest ldap autentication, so i recompile squid
>> and configure auth_param to use this helper and configure them.
>>
>> So, testing digest_ldap_auth, all are ok (or i think) :)
>>
> <snip>
>>
>> ¿The password value must be stored on ldap server in clear text mode? :(
>
> Yes. Seems to be a flaw in LDAP digest implementation.
>
> If you are lucky your LDAP server will have reversible encryption of the
> passwords for storage, to improve a bit over open plain text storage. But
> Digest-MD5 requires each end to know the plain-text version of the password
> in order to hash and validate the nonce tokens.
>
>
>> ¿How squid manage encrypted passwords with digest method?
>
> Squid is not aware of the passwords. Just a nonce token that gets passed
> around. Squid acts like a blind relay between the client browser and auth
> server. This is true for all auth methods Squid supports.
>
>> ¿Any other ideas?
>
> If you want better security than digest look at Kerberos. Which is fully
> encrypted with tokens not related to the password.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.12
>  Beta testers wanted for 3.2.0.7 and 3.1.12.1
>

-- 
Salu2 ;)
Received on Thu May 26 2011 - 16:00:34 MDT

This archive was generated by hypermail 2.2.0 : Thu May 26 2011 - 12:00:03 MDT