Re: [squid-users] Re: Joomla DB authentication support hits Squid! :)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 28 May 2010 00:30:11 +1200

Luis Daniel Lucio Quiroz wrote:
> Le samedi 1 mai 2010 20:57:22, Amos Jeffries a écrit :
>> Luis Daniel Lucio Quiroz wrote:
>>> Le vendredi 23 avril 2010 00:20:13, Amos Jeffries a écrit :
>>>> Luis Daniel Lucio Quiroz wrote:
>>>>> Le jeudi 22 avril 2010 20:09:57, Amos Jeffries a écrit :
>>>>>> Luis Daniel Lucio Quiroz wrote:
>>>>>>> Le jeudi 22 avril 2010 15:49:55, Luis Daniel Lucio Quiroz a écrit :
>>>>>>>> HI all
>>>>>>>>
>>>>>>>> As a requirement of one client, he wants to use joomla user database
>>>>>>>> to let squid authenticate.
>>>>>>>>
>>>>>>>> I did patch squid_db_auth that Henrik has written in order to
>>>>>>>> support joomla hash conditions.
>>>>>>>>
>>>>>>>> I did add one usefull option to script
>>>>>>>>
>>>>>>>> --joomla
>>>>>>>>
>>>>>>>> in order to activate joomla hashing. Other options are identical.
>>>>>>>> Please test :)
>>>>>>>>
>>>>>>>> Ammos, I'd like if you can include this in 3.1.2
>>>>>> Mumble.
>>>>>>
>>>>>> How do other users feel about it? Useful enough to cross the security
>>>>>> bugs and regressions only freeze?
>>>>>>
>>>>>>>> LD
>>>>>>> I have a typo in
>>>>>>> my salt
>>>>>>>
>>>>>>> should be
>>>>>>> my $salt
>>>>>>>
>>>>>>> sorry
>>>>>> Can you make the option --md5 instead please?
>>>>>>
>>>>>> Possibilities are not limited to Joomla and they may change someday.
>>>>>>
>>>>>> The option needs to be added to the documentation sections of the
>>>>>> helper as well.
>>>>>>
>>>>>> Amos
>>>>> I dont get you about "cross the security",
>>>> 3.1 is under feature freeze. Anything not a security fix or regression
>>>> needs to have some good reasons to be committed.
>>>>
>>>> I'm trying to stick to the freeze a little more with 3.1 than with 3.0,
>>>> to get back into the habit of it. Particularly since we look like having
>>>> a good foothold on the track for 12-month releases now.
>>>>
>>>>> what i did is that --joomla flag do diferent sql request and because
>>>>> joomla hass is like this:
>>>>> hash:salt
>>>>> i did split and compare. by default joomla uses md5 (i'm not a joomla
>>>>> master, i dont know when joomla uses other hashings)
>>>> I intend to use this auth helper myself for other systems, and there are
>>>> others who ask about a DB helper occasionally.
>>>>
>>>>
>>>> Taking a better look at your changes ...
>>>>
>>>> The first one: db_conf = "block = 0" seems to be useless. All it does
>>>> is hard-code a different default value for the --cond option.
>>>>
>>>> For Joomla the squid.conf should instead contain:
>>>> --cond " block=0 "
>>>>
>>>> Which leaves the salted/non-salted hash change.
>>>>
>>>> Adding this:
>>>> --salt-delimiter D
>>>>
>>>> To configure character(s) between the hash and salt values. Will not to
>>>> lock people into the specific Joomla syntax of colon. There are
>>>> examples and tutorials out there for app design that use other
>>>> delimiters.
>>>>
>>>> Doing both of those changes Joomla would be configured with:
>>>> ... --cond " block=0 " --salt-delimiter ":"
>>>>> if you want, latter i may add also --md5 to store md5 password, and
>>>>> --digest- auth to support diggest authentication :) but later jejeje
>>>> Amos
>>> HI
>>> i've just update my patch to fit 3.1.2
>>>
>>>
>>> I hope this could be included since it is based on todays snapshot.
>>>
>>> Regards,
>>>
>>> LD
>> Thank you.
>>
>> You still have the --joomla flag. I thought you agreed to call it
>> something like the --salt and take the delim character ?
>>
>> Amos
>
> Amos + team,
>
> i was adding salt support and i realize of this line
> return 1 if crypt($password, $key) eq $key;
>
> as far as i know this is impossible, because crypt using a salt wont be eq
> to that key,
> because there are many scenarios i did let this line in my patch and add
> another to use static salt
>
> I also add a --sql option to let user specify complex querys. As i was
> needint it to work with an INNER JOIN.
>
> I hope you can review it.
>
> LD
>

I have not found the need for --sql in my experience with complex
queries to this helper. The each of the options --usercol , --passcol,
--table and --cond can take whole snippets of SQL double-quoted.

The rest of the patch is accepted. Will be in Squid-3.1.4.

If anyone is interested in further improvements to this helper;
   Loading the parameters from a secure file instead of having the SQL
snippets and DSN login visible on the command line would be useful.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.3
Received on Thu May 27 2010 - 12:30:24 MDT

This archive was generated by hypermail 2.2.0 : Thu May 27 2010 - 12:00:06 MDT