On 26/05/11 01:36, Maximiliano de Mattos wrote:
Hi... :)
I use squid v2.7 with ldap_auth autentication storing password as ssha hash.
Now, i want to have digest ldap autentication, so i recompile squid
and configure auth_param to use this helper and configure them.
So, testing digest_ldap_auth, all are ok (or i think) :)
<snip>
ÂThe password value must be stored on ldap server in clear text mode? :(
Yes. Seems to be a flaw in LDAP digest implementation.
If you are lucky your LDAP server will have reversible encryption of the
passwords for storage, to improve a bit over open plain text storage.
But Digest-MD5 requires each end to know the plain-text version of the
password in order to hash and validate the nonce tokens.
ÂHow squid manage encrypted passwords with digest method?
Squid is not aware of the passwords. Just a nonce token that gets passed
around. Squid acts like a blind relay between the client browser and
auth server. This is true for all auth methods Squid supports.
ÂAny other ideas?
If you want better security than digest look at Kerberos. Which is fully
encrypted with tokens not related to the password.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
