thanks Amos! Now, i try with squid v3, if i remember ok i think i saw a post on that this version can manage hashed pwds... but now i can't find them :( In other way i thinking to implement a helper thats make these autentication (taking user + password in clear text as parameters) and if this is correct, return to digest the result of MD5(user:realm:pwd in clear text mode)... or ERR in other case... thanks again! 2011/5/26 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 26/05/11 01:36, Maximiliano de Mattos wrote: >> >> Hi... Â:) >> >> I use squid v2.7 with ldap_auth autentication storing password as ssha >> hash. >> >> Now, i want to have digest ldap autentication, so i recompile squid >> and configure auth_param to use this helper and configure them. >> >> So, testing digest_ldap_auth, all are ok (or i think) :) >> > <snip> >> >> ÂThe password value must be stored on ldap server in clear text mode? :( > > Yes. Seems to be a flaw in LDAP digest implementation. > > If you are lucky your LDAP server will have reversible encryption of the > passwords for storage, to improve a bit over open plain text storage. But > Digest-MD5 requires each end to know the plain-text version of the password > in order to hash and validate the nonce tokens. > > >> ÂHow squid manage encrypted passwords with digest method? > > Squid is not aware of the passwords. Just a nonce token that gets passed > around. Squid acts like a blind relay between the client browser and auth > server. This is true for all auth methods Squid supports. > >> ÂAny other ideas? > > If you want better security than digest look at Kerberos. Which is fully > encrypted with tokens not related to the password. > > Amos > -- > Please be using > ÂCurrent Stable Squid 2.7.STABLE9 or 3.1.12 > ÂBeta testers wanted for 3.2.0.7 and 3.1.12.1 > -- Salu2 ;)
