ons 2006-04-05 klockan 21:44 -0400 skrev Scott Ehrlich: > I am trying to establish blank passwords for some squid accounts, using > htpasswd /etc/squid/squid_passwd name_of_user > > When prompted for a password, I just hit enter twice. The squid_passwd file > still shows an encrypted password. I've tried to delete it, leaving just the > username and colon, but I cannot seem to get a blank password. Even a blank password has a hash looking just the same as a non-blank password hash. > What is the magic? You will need to change the source somewhat. Both Squid and ncsa_auth denies blank passwords without even looking into the password file. The attached patch should "fix" this for ncsa_auth. Make sure to read squid.conf.default after applying the patch as it adds a new auth_param basic option for enabling blank passwords. Regards Henrik
Index: helpers/basic_auth/NCSA/ncsa_auth.c =================================================================== RCS file: /cvsroot/squid/squid/helpers/basic_auth/NCSA/ncsa_auth.c,v retrieving revision 1.1.2.4 diff -u -p -r1.1.2.4 ncsa_auth.c --- helpers/basic_auth/NCSA/ncsa_auth.c 22 Apr 2005 20:29:29 -0000 1.1.2.4 +++ helpers/basic_auth/NCSA/ncsa_auth.c 6 Apr 2006 12:14:09 -0000 @@ -126,14 +126,13 @@ main(int argc, char **argv) change_time = sb.st_mtime; } } - if ((user = strtok(buf, " ")) == NULL) { - printf("ERR\n"); - continue; - } - if ((passwd = strtok(NULL, "")) == NULL) { + user = buf; + passwd = strchr(buf, ' '); + if (!passwd) { printf("ERR\n"); continue; } + *passwd++ = '\0'; rfc1738_unescape(user); rfc1738_unescape(passwd); u = hash_lookup(hash, user); Index: src/cf.data.pre =================================================================== RCS file: /cvsroot/squid/squid/src/cf.data.pre,v retrieving revision 1.245.2.104 diff -u -p -r1.245.2.104 cf.data.pre --- src/cf.data.pre 25 Feb 2006 23:01:45 -0000 1.245.2.104 +++ src/cf.data.pre 6 Apr 2006 12:14:10 -0000 @@ -1357,6 +1357,11 @@ DOC_START makes a big difference for user_max_ip ACL processing and similar. auth_param basic casesensitive off + "blankpassword" on|off + Specifies if blank passwords should be supported. Defaults to off + as there is multiple authentication backends which handles blank + passwords as "guest" access. + === Parameters for the digest scheme follow === "program" cmdline Index: src/auth/basic/auth_basic.c =================================================================== RCS file: /cvsroot/squid/squid/src/auth/basic/auth_basic.c,v retrieving revision 1.14.2.10 diff -u -p -r1.14.2.10 auth_basic.c --- src/auth/basic/auth_basic.c 22 Apr 2005 20:29:31 -0000 1.14.2.10 +++ src/auth/basic/auth_basic.c 6 Apr 2006 12:14:10 -0000 @@ -313,11 +313,12 @@ authBasicCfgDump(StoreEntry * entry, con storeAppendPrintf(entry, " %s", list->key); list = list->next; } - storeAppendPrintf(entry, "\n%s %s realm %s\n%s %s children %d\n%s %s credentialsttl %d seconds\n%s %s casesensitive %s\n", + storeAppendPrintf(entry, "\n%s %s realm %s\n%s %s children %d\n%s %s credentialsttl %d seconds\n%s %s casesensitive %s\n%s %s blankpassword %s\n", name, "basic", config->basicAuthRealm, name, "basic", config->authenticateChildren, name, "basic", (int) config->credentialsTTL, - name, "basic", config->casesensitive ? "on" : "off"); + name, "basic", config->casesensitive ? "on" : "off", + name, "basic", config->blankpassword ? "on" : "off"); } @@ -348,6 +349,8 @@ authBasicParse(authScheme * scheme, int parse_time_t(&basicConfig->credentialsTTL); } else if (strcasecmp(param_str, "casesensitive") == 0) { parse_onoff(&basicConfig->casesensitive); + } else if (strcasecmp(param_str, "blankpassword") == 0) { + parse_onoff(&basicConfig->blankpassword); } else { debug(28, 0) ("unrecognised basic auth scheme parameter '%s'\n", param_str); } @@ -462,7 +465,7 @@ authenticateBasicDecodeAuth(auth_user_re proxy_auth); local_basic.passwd = NULL; auth_user_request->message = xstrdup("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug"); - } else if (*cleartext == '\0') { + } else if (*cleartext == '\0' && !basicConfig->blankpassword) { debug(29, 4) ("authenticateBasicDecodeAuth: Disallowing empty password," "user is '%s'\n", local_basic.username); local_basic.passwd = NULL; Index: src/auth/basic/auth_basic.h =================================================================== RCS file: /cvsroot/squid/squid/src/auth/basic/auth_basic.h,v retrieving revision 1.3.2.2 diff -u -p -r1.3.2.2 auth_basic.h --- src/auth/basic/auth_basic.h 17 Jul 2004 19:53:25 -0000 1.3.2.2 +++ src/auth/basic/auth_basic.h 6 Apr 2006 12:14:10 -0000 @@ -42,6 +42,7 @@ struct _auth_basic_config { wordlist *authenticate; time_t credentialsTTL; int casesensitive; + int blankpassword; }; typedef struct _auth_basic_config auth_basic_config;
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel