Search squid archive

Re: squid and blank/empty passwords?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ons 2006-04-05 klockan 21:44 -0400 skrev Scott Ehrlich:
> I am trying to establish blank passwords for some squid accounts, using 
> htpasswd /etc/squid/squid_passwd name_of_user
> 
> When prompted for a password, I just hit enter twice.   The squid_passwd file 
> still shows an encrypted password.   I've tried to delete it, leaving just the 
> username and colon, but I cannot seem to get a blank password.

Even a blank password has a hash looking just the same as a non-blank
password hash.

> What is the magic?

You will need to change the source somewhat. Both Squid and ncsa_auth
denies blank passwords without even looking into the password file. The
attached patch should "fix" this for ncsa_auth. Make sure to read
squid.conf.default after applying the patch as it adds a new auth_param
basic option for enabling blank passwords.

Regards
Henrik
Index: helpers/basic_auth/NCSA/ncsa_auth.c
===================================================================
RCS file: /cvsroot/squid/squid/helpers/basic_auth/NCSA/ncsa_auth.c,v
retrieving revision 1.1.2.4
diff -u -p -r1.1.2.4 ncsa_auth.c
--- helpers/basic_auth/NCSA/ncsa_auth.c	22 Apr 2005 20:29:29 -0000	1.1.2.4
+++ helpers/basic_auth/NCSA/ncsa_auth.c	6 Apr 2006 12:14:09 -0000
@@ -126,14 +126,13 @@ main(int argc, char **argv)
 		change_time = sb.st_mtime;
 	    }
 	}
-	if ((user = strtok(buf, " ")) == NULL) {
-	    printf("ERR\n");
-	    continue;
-	}
-	if ((passwd = strtok(NULL, "")) == NULL) {
+	user = buf;
+	passwd = strchr(buf, ' ');
+	if (!passwd) {
 	    printf("ERR\n");
 	    continue;
 	}
+	*passwd++ = '\0';
 	rfc1738_unescape(user);
 	rfc1738_unescape(passwd);
 	u = hash_lookup(hash, user);
Index: src/cf.data.pre
===================================================================
RCS file: /cvsroot/squid/squid/src/cf.data.pre,v
retrieving revision 1.245.2.104
diff -u -p -r1.245.2.104 cf.data.pre
--- src/cf.data.pre	25 Feb 2006 23:01:45 -0000	1.245.2.104
+++ src/cf.data.pre	6 Apr 2006 12:14:10 -0000
@@ -1357,6 +1357,11 @@ DOC_START
 	makes a big difference for user_max_ip ACL processing and similar.
 	auth_param basic casesensitive off
 
+	"blankpassword" on|off
+	Specifies if blank passwords should be supported. Defaults to off
+	as there is multiple authentication backends which handles blank
+	passwords as "guest" access.
+
 	=== Parameters for the digest scheme follow ===
 
 	"program" cmdline
Index: src/auth/basic/auth_basic.c
===================================================================
RCS file: /cvsroot/squid/squid/src/auth/basic/auth_basic.c,v
retrieving revision 1.14.2.10
diff -u -p -r1.14.2.10 auth_basic.c
--- src/auth/basic/auth_basic.c	22 Apr 2005 20:29:31 -0000	1.14.2.10
+++ src/auth/basic/auth_basic.c	6 Apr 2006 12:14:10 -0000
@@ -313,11 +313,12 @@ authBasicCfgDump(StoreEntry * entry, con
 	storeAppendPrintf(entry, " %s", list->key);
 	list = list->next;
     }
-    storeAppendPrintf(entry, "\n%s %s realm %s\n%s %s children %d\n%s %s credentialsttl %d seconds\n%s %s casesensitive %s\n",
+    storeAppendPrintf(entry, "\n%s %s realm %s\n%s %s children %d\n%s %s credentialsttl %d seconds\n%s %s casesensitive %s\n%s %s blankpassword %s\n",
 	name, "basic", config->basicAuthRealm,
 	name, "basic", config->authenticateChildren,
 	name, "basic", (int) config->credentialsTTL,
-	name, "basic", config->casesensitive ? "on" : "off");
+	name, "basic", config->casesensitive ? "on" : "off",
+	name, "basic", config->blankpassword ? "on" : "off");
 
 }
 
@@ -348,6 +349,8 @@ authBasicParse(authScheme * scheme, int 
 	parse_time_t(&basicConfig->credentialsTTL);
     } else if (strcasecmp(param_str, "casesensitive") == 0) {
 	parse_onoff(&basicConfig->casesensitive);
+    } else if (strcasecmp(param_str, "blankpassword") == 0) {
+	parse_onoff(&basicConfig->blankpassword);
     } else {
 	debug(28, 0) ("unrecognised basic auth scheme parameter '%s'\n", param_str);
     }
@@ -462,7 +465,7 @@ authenticateBasicDecodeAuth(auth_user_re
 	    proxy_auth);
 	local_basic.passwd = NULL;
 	auth_user_request->message = xstrdup("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
-    } else if (*cleartext == '\0') {
+    } else if (*cleartext == '\0' && !basicConfig->blankpassword) {
 	debug(29, 4) ("authenticateBasicDecodeAuth: Disallowing empty password,"
 	    "user is '%s'\n", local_basic.username);
 	local_basic.passwd = NULL;
Index: src/auth/basic/auth_basic.h
===================================================================
RCS file: /cvsroot/squid/squid/src/auth/basic/auth_basic.h,v
retrieving revision 1.3.2.2
diff -u -p -r1.3.2.2 auth_basic.h
--- src/auth/basic/auth_basic.h	17 Jul 2004 19:53:25 -0000	1.3.2.2
+++ src/auth/basic/auth_basic.h	6 Apr 2006 12:14:10 -0000
@@ -42,6 +42,7 @@ struct _auth_basic_config {
     wordlist *authenticate;
     time_t credentialsTTL;
     int casesensitive;
+    int blankpassword;
 };
 
 typedef struct _auth_basic_config auth_basic_config;

Attachment: signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux