Re: [squid-users] Re: secure authentication on squid

From: Jose Araujo <[email protected]>
Date: Thu, 21 Nov 2002 13:18:21 +0000

Ilya wrote:

>> Maybe i am being a bad person, but everything (and more) you need to
>> know about digest is in the RFC, they can be found on:
>>
>> HTTP basic and Digest auth: http://www.ietf.org/rfc/rfc2617.txt
>
>
> Thanks, I`ll read. But it is more interesting: how can I tune squid to
> use digest authentication?
> And one more. If squid was tuned to use digest auth, then it
> saves/looks for username/password in its database. Or am I wrong? You
> know, in my situation username/password are stored on LDAP server, and
> squid checks them using external program(authentication_program)

That is my setup, but i can't use digest, because squid needs access to
the plaintext password, and our LDAP database stores only encrypted
passwords :-(.

If you check the Digest auth script on "helpers/digest_auth/password"
from squid 2.5S1 source code, you can see in the last lines:

            DigestCalcHA1("md5", user, realm, u->passwd, NULL, NULL,
HA1, HHA1);
            printf("%s\n", HHA1);

With the DigestCalcHA1, the script creates a hash and sends it to the
proxy (the user, realm and u->password (user password) are all in plaintext.

If the hash is equal to the client generated hash, then the request is
allowed.

> wbr
> Ilya.

That is my problem, how to generate the hash for a user without knowing
it's password ?

I'd love to help develop a digest auth with an LDAP backend, does anyone
have any ideas ?

Jose Araujo
Received on Thu Nov 21 2002 - 09:40:06 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:26 MST