Search squid archive

Re: secure basic authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 18 Jan 2006, Emilio Casbas wrote:


-basic authentication is insecure by nature.


True.
-basic authentication + SSL only is secure in the logon, but the stateless characteristic of HTTP , it will send the consecutive sensitive headers in clear text. 

Not sure I follow what you say entirely.


-Digest isn´t support ldap in this moment, it isn´t Single Sign On.


True.
LDAP support is available in the digest helper found in Squid-3 (same helper also works with 2.5). But it requires either the plaintext password or a Digest specific password hash to be registered in the LDAP tree..
In future we hope to be able to add integration with Digest capable authentication services (including MS AD with Digest enabled), but this is a future feature and most likely won't be seen until Squid-3.1 the earliest. And even then it wouldn't be a single sign on solution as the clients do not support Digest single sign on.. 


-NTLM isn´t a standard HTTP authentication scheme.


True..
Then, which is the best method and secure to implement a basic proxy authentication in a proxy environment?.
If only clients supported SSL/TLS encryption of proxy connections this would be a great alternative.
Until then Digest or NTLM authentication is the best you can currently get. 

Basic:

   + Standard
+ Integrates with anything you can imagine thanks to the username+password exchange.
- password transmitted to the proxy, in plain text if the communication channel is not encrypted. 

Digest:

   + Standard
   + Supported by nearly all web browsers

   - Hard to integrate with user directory services
   - Not all browsers implements this well..

NTLM:

   + Microsoft "standard"
   + Single-sign-on in Windows environments

   - Not following HTTP standard
   - Noticeable overhead

Negotiate (GSSAPI / Kerberos):

   + Microsoft "standard" and future direction
   + Single-sign-on in Windows environments
   + Not plauged by the huge overhead of NTLM authentication

   - Not supported in Squid-2.5 (patch available)
- Not supported in Samba-3.x (Samba-4 development snapshots reportedly works..) 
   - Not well supported by other browsers than MSIE.
   - Not even MSIE supports it to proxies (only web servers/accelerators)
   - Not following HTTP standard (same design fault as NTLM)

Regards
Henrik
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux