On Tue, 15 Mar 2005, Sergey Shepshelevich wrote:
> 1. squid + digest_pw_auth. In this case we have to use HTTP digest, but at the moment
> we are storing users' passwords in openldap directory as _crypted_ attribute "userPassword".
> At the same time, to use the digest authorization we have to store
> MD5(username:realm:password), but it's difficult in our environment.
Difficult in most environments.
> Storing clear password in openldap directory also is not a case.
Unfortunately the only approach which is "future safe" wrt introducing new
secure authentication methods without forcing all users to change their
password to have the password hashes recalculated.
> Does any one know if there is any working schemas utilizing openldap + HTTP digest auth?
I have a digest auth helper querying LDAP for the hash, but as you noted
above this requires either Digest MD5 hashes or plain text passwords in
the directory..
> 2. HTTPS connection between proxy server and end-user's browser. This
> way we encrypt all traffic with no differences for HTTP/FTP/HTTPS.
> User's password also encrypted because it's trasfered after the secure
> channel has been initiated.
>
> It's also better than variant (1) because all content encrypted and we
> can avoid man in the middle attacks.
Problem is that there is no known browser supporting SSL encryption of
proxy connections, but if you find one then this will work just fine.
What you may be able to imlpement with todays browsers is a form of
session login concept authenticating the users IP. For this you need a
HTTPS server, capable of talking to your Squid acls somehow (either by
reconfiguring, or by using an external acl) allowing the HTTPS server to
register the users IP as "authenticated" for Squid.
Regards
Henrik
Received on Tue Mar 15 2005 - 07:33:40 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST