Re: [squid-users] squid + digest ldap + password

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 27 May 2011 01:40:21 +1200

On 26/05/11 01:36, Maximiliano de Mattos wrote:
> Hi... :)
>
> I use squid v2.7 with ldap_auth autentication storing password as ssha hash.
>
> Now, i want to have digest ldap autentication, so i recompile squid
> and configure auth_param to use this helper and configure them.
>
> So, testing digest_ldap_auth, all are ok (or i think) :)
>
<snip>
>
> ¿The password value must be stored on ldap server in clear text mode? :(

Yes. Seems to be a flaw in LDAP digest implementation.

If you are lucky your LDAP server will have reversible encryption of the
passwords for storage, to improve a bit over open plain text storage.
But Digest-MD5 requires each end to know the plain-text version of the
password in order to hash and validate the nonce tokens.

> ¿How squid manage encrypted passwords with digest method?

Squid is not aware of the passwords. Just a nonce token that gets passed
around. Squid acts like a blind relay between the client browser and
auth server. This is true for all auth methods Squid supports.

> ¿Any other ideas?

If you want better security than digest look at Kerberos. Which is fully
encrypted with tokens not related to the password.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Thu May 26 2011 - 13:40:29 MDT

This archive was generated by hypermail 2.2.0 : Thu May 26 2011 - 12:00:03 MDT