Re: [squid-users] Pass through Digest Authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 15 Jun 2003 01:10:49 +0200

On Sunday 15 June 2003 00.21, Steven Sporen wrote:

> I'm trying to understand how the digest authentication was
> implemented within Squid, specifically how does Squid calculate the
> hash to compare to what the client sent through if the nonce value
> is changed per session?

Squid asks the helper for the HA1 value of the user+realm, then
applies the digest algorith to this per request.

> Is it possible to have squid pass through the digest
> proxy-authentication request directly to a web server which would
> perform the authentication allowing or denying access to the
> browsing through the cache? I would like to have squid authenticate
> against an IIS server.

Not easily. For this you basically have to replace the digest
implementation in Squid with a dummy layer just relaying all
authentication to the IIS server on each and every request.

What might be possible is to add in a reasonable manner is an
interface whereby the helper can query an external password source
for the MD5-sess HA1 value, or alternatively the H() part of the
MD5-sess A1 value (or MD5 HA1 value if communication is secure but
this is not recommended for security reasons). Problem is to find a
password database who is willing to give this information allowing
Squid to perform digest operations.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Sat Jun 14 2003 - 17:09:31 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:22 MST