SQUID authentication accepts similar passwords :O
I'm shocked.
I'm running squid on CentOS 6.4.
This are the step I used to install it:
yum install squid -y
this the squid.conf parameters:
# add auth_params
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 2
auth_param basic realm My Proxy Server
auth_param basic credentialsttl 24 hours
auth_param basic casesensitive off
# add acl rules
acl users proxy_auth REQUIRED
# http access rules
http_access deny !users
http_access allow users
some commands to configure the password:
touch /etc/squid/passwd
chown root.squid /etc/squid/passwd
chmod 640 /etc/squid/passwd
htpasswd /etc/squid/passwd username
Suppose that in the
htpasswd /etc/squid/passwd username
command I type a password like this:
ciaooaic
now when the browsers asks me for auth if I type a password like this:
ciaooaicds
the password is accepted
the passwords, clearly don't match but it is accepted.
what a crappy authentication is this?
6 Replies
@Nuvini:
http://www.squid-cache.org/Advisories/SQUID-2011_2.txt
from that note it seems that with Squid 3.1 it is possible to workaround the problem using
the
htpasswd -m /etc/squid/passwd username
in this way, I'm not able to authenticate anymore…
I installed squid 3.3.6 and I have the same problem.
If you'll create a passwordfile with "htpasswd -m" uses md5 that saves whole password.
Note that usually all passwords in the file need to be in the same format for anything to work.
Glancing at the .txt, the MD5 option works both with Squid 3.1 and 3.3.
So, maybe rename the old passwordfile, create a new one and make a user entry…
% mv sqpasswd old.sqpasswd
% touch sqpasswd
% htpasswd -m sqpasswd username
% cat sqpasswd
username:$apr1$blAHBLah1234
The $apr1$ part is the MD5-encoding marker.
Then maybe restart squid just in case, and try to authenticate.
authparam digest program /usr/lib64/squid/digestfile_auth -c /etc/squid/users