Re: [squid-users] ssl'ing squid trafic

From: Sergey Shepshelevich <sergey@dont-contact.us>
Date: Fri, 25 Mar 2005 21:02:06 +0300

On Tue, Mar 15, 2005 at 03:33:35PM +0100, Henrik Nordstrom wrote:
> On Tue, 15 Mar 2005, Sergey Shepshelevich wrote:
>
> >1. squid + digest_pw_auth. In this case we have to use HTTP digest, but at
> >the moment
> >we are storing users' passwords in openldap directory as _crypted_
> >attribute "userPassword".
> >At the same time, to use the digest authorization we have to store
> >MD5(username:realm:password), but it's difficult in our environment.
>
> Difficult in most environments.
>
> >Storing clear password in openldap directory also is not a case.
>
> Unfortunately the only approach which is "future safe" wrt introducing new
> secure authentication methods without forcing all users to change their
> password to have the password hashes recalculated.
>
> >Does any one know if there is any working schemas utilizing openldap +
> >HTTP digest auth?
>
> I have a digest auth helper querying LDAP for the hash, but as you noted
> above this requires either Digest MD5 hashes or plain text passwords in
> the directory..

 Do you store MD5(username:realm:password) in ldap directory ?
 There are problem with passwords ...

 If using MD5(username:realm:password) as userPassword other programs can't work.

 Is it possible use 'sasl2 + squid + openldap' and one attibute 'userPassword'
 contains MD5(username:realm:password) ?

 
 I read 'Using Digest Authentication as a SASL Mechanism'
 http://www.faqs.org/rfcs/rfc2831.html

  //3.10 Storing passwords
  //Digest authentication requires that the authenticating agent (usually
  //the server) store some data derived from the user's name and password
  //in a "password file" associated with a given realm. Normally this
  //might contain pairs consisting of username and H({ username-value,
  // ":", realm-value, ":", passwd }), which is adequate to compute H(A1)
  //as described above without directly exposing the user's password.

 and can't say may be becouse inteface's digest helper and squid is not clearly for me.

 
 

Thanks,

-- 
Sergey Shepshelevich
Ulyanovsk State Technical University
NOC, System administrator
Received on Fri Mar 25 2005 - 11:02:38 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST