SQUID authentication accepts similar passwords :O

As title,

I'm shocked.

I'm running squid on CentOS 6.4.

This are the step I used to install it:

yum install squid -y

this the squid.conf parameters:
# add auth_params
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 2
auth_param basic realm My Proxy Server
auth_param basic credentialsttl 24 hours
auth_param basic casesensitive off
# add acl rules
acl users proxy_auth REQUIRED
# http access rules
http_access deny !users
http_access allow users

some commands to configure the password:

touch /etc/squid/passwd
chown root.squid /etc/squid/passwd
chmod 640 /etc/squid/passwd
htpasswd /etc/squid/passwd username

Suppose that in the

htpasswd /etc/squid/passwd username

command I type a password like this:

ciaooaic

now when the browsers asks me for auth if I type a password like this:

ciaooaicds

the password is accepted :shock: :shock: :shock:

the passwords, clearly don't match but it is accepted.

what a crappy authentication is this?

6 Replies

Have you tried an obviously wrong password?

http://www.squid-cache.org/Advisories/SQUID-2011_2.txt

@Nuvini:

http://www.squid-cache.org/Advisories/SQUID-2011_2.txt

from that note it seems that with Squid 3.1 it is possible to workaround the problem using

the

htpasswd -m /etc/squid/passwd username

in this way, I'm not able to authenticate anymore… :|

in the file you linked me is wrote that Squid 3.3 fixed this problem,

I installed squid 3.3.6 and I have the same problem. :roll:

If you'll create a passwordfile with "htpasswd", it uses crypt(), and that saves only first eight characters.

If you'll create a passwordfile with "htpasswd -m" uses md5 that saves whole password.

Note that usually all passwords in the file need to be in the same format for anything to work.

Glancing at the .txt, the MD5 option works both with Squid 3.1 and 3.3.

So, maybe rename the old passwordfile, create a new one and make a user entry…

% mv sqpasswd old.sqpasswd
% touch sqpasswd
% htpasswd -m sqpasswd username
% cat sqpasswd
username:$apr1$blAHBLah1234

The $apr1$ part is the MD5-encoding marker.

Then maybe restart squid just in case, and try to authenticate.

at the end I solve using the

authparam digest program /usr/lib64/squid/digestfile_auth -c /etc/squid/users

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct