Re: [squid-users] htpasswd+ncsa_auth

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 29 May 2003 15:55:00 +0200

On Thursday 29 May 2003 15.08, Allen Miller wrote:

> For grins, I used the -m option (force MD5 encryption) with
> htpasswd, but I could never get authenticated using IE6.

-m uses MD5 hashes which the ncsa_auth shipped with Squid-2.5 and
earlier does not understand. For this to work you must use the
ncsa_auth helper from Squid-3.

> My goal is to allow users to change their Squid password via a web
> interface, not be limited to 8 chars, and not to send username and
> password info in the clear.

For the first part you can use MD5 hashes (-m option to htpasswd and
the ncsa_auth helper from Squid-3).

To fulfull the second part you have to abandon the use of Basic HTTP
authentication and switch to digest authentication which provides
secure exchanges of the user credentials over the network. The Digest
support in Squid-2.5.STABLE3 should be usable with most major
browsers currently on the market.. (some small amount of
configuration may be needed to work around browser bugs, but the
knobs for doing so is there..), but I'd recommend using the
digest_pw_auth helper from Squid-3 for increased security. This
version of the helper supports storing the user passwords in HA1
hashed format instead of plain text.

Note: both the ncsa_auth and digest_pw_auth helpers from Squid-3 works
just fine with Squid-2.5. I do not recommend using Squid-3 in
production, only these helpers from the Squid-3 distribution with a
otherwise Squid-2.5 installation.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Thu May 29 2003 - 08:14:37 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:06 MST