[squid-users] NCSA-auth don't work for file contain too many passswords

Amos Jeffries squid3 at treenet.co.nz
Sat Nov 12 02:48:30 UTC 2016

On 12/11/2016 6:29 a.m., Garri Djavadyan wrote:
> On 2016-11-11 21:05, --Ahmad-- wrote:
>> hi squid users .
>> i have problem when i use basic_ncsa auth
>> the auth work when i have few passwords in the file of auth .
>> as example
>> auth_param basic program /lib/squid/basic_ncsa_auth /etc/squid/squid_user
>> acl ncsa_users proxy_auth REQUIRED
>> auth_param basic children 100
>> http_access allow ncsa_users
>> user like 30 in the file /etc/squid/squid_user  is ok
>> but when i use like 20K password ….. squid always give me wrong pwd .
>> is there any turning i need ?
>> I’m using squid 3.5.2
>> BTW i use the cmd as ex ——————>     htpasswd -db /etc/squid/squid_user
>> user1 user1

Ahmad, what do you think "-db" means?

Hint: htpasswd tells you what the 'd' and the 'b' mean.

> Hi Ahmad,
> I can't reproduce the problem using Squid 3.5.22. I used following
> method to verify the case:

Unfortunately your test uses the 'openssl' tool below instead of
htpasswd to create the password file. There are some big differences in
security algorithms each uses to reate the password file.

> 2. Create ncsa passwords db for 20k users.
> # for i in {1..20000}; do echo "user${i}:$(openssl passwd -apr1
> pass${i})" >> /usr/local/squid35/etc/passwd; done

This test *will* fail when "htpasswd -db" is used to generate the
password file from those password strings. Notice that the test 'i'
values of 10000+ create passwords like "pass10000" which are 9
characters long.

The htpasswd -d uses DES encryption which has an 8 character limit on
password length. It will *silently* truncate the password to the first 8

Recent basic_ncsa_auth helper versions will detect and reject
authentication using DES algorithm when password is longer than 8

NP: users can still log into Squid which were configured with that DES
file, but must only type in the first 8 characters of their password
when doing so.

You need to use the htpasswd -m (MD5) or -s (SHA) options to hash the
passwords. Avoid DES (-d) as much as you can.

> Can you try the method using Squid 3.5.2? If it would fail, can you try
> Squid 3.5.22?

Please do the Squid upgrade anyway since there are many serious security
issues fixed in 3.5 since the .2 release.


More information about the squid-users mailing list