On Tue, 15 Mar 2005, Sergey Shepshelevich wrote:
1. squid + digest_pw_auth. In this case we have to use HTTP digest, but at the moment we are storing users' passwords in openldap directory as _crypted_ attribute "userPassword". At the same time, to use the digest authorization we have to store MD5(username:realm:password), but it's difficult in our environment.
Difficult in most environments.
Storing clear password in openldap directory also is not a case.
Unfortunately the only approach which is "future safe" wrt introducing new secure authentication methods without forcing all users to change their password to have the password hashes recalculated.
Does any one know if there is any working schemas utilizing openldap + HTTP digest auth?
I have a digest auth helper querying LDAP for the hash, but as you noted above this requires either Digest MD5 hashes or plain text passwords in the directory..
2. HTTPS connection between proxy server and end-user's browser. This way we encrypt all traffic with no differences for HTTP/FTP/HTTPS. User's password also encrypted because it's trasfered after the secure channel has been initiated.
It's also better than variant (1) because all content encrypted and we can avoid man in the middle attacks.
Problem is that there is no known browser supporting SSL encryption of proxy connections, but if you find one then this will work just fine.
What you may be able to imlpement with todays browsers is a form of session login concept authenticating the users IP. For this you need a HTTPS server, capable of talking to your Squid acls somehow (either by reconfiguring, or by using an external acl) allowing the HTTPS server to register the users IP as "authenticated" for Squid.
Regards Henrik
