[squid-users] NCSA-auth don't work for file contain too many passswords
Garri Djavadyan
garryd at comnet.uz
Sat Nov 12 07:15:27 UTC 2016
Hi Amos,
Thanks for the comments!
On 2016-11-12 07:48, Amos Jeffries wrote:
>> I can't reproduce the problem using Squid 3.5.22. I used following
>> method to verify the case:
>>
> Unfortunately your test uses the 'openssl' tool below instead of
> htpasswd to create the password file. There are some big differences in
> security algorithms each uses to reate the password file.
My primary task was to confirm that 20k passwords DB file is not an
issue for Squid.
I used htpasswd-compatible MD5 algorighm (-apr1), it is equivalent to
'htpasswd -m'.
The openssl key -crypt is equivalent to 'htpasswd -d'.
You are right, I missed the specified '-d' flag.
>> 2. Create ncsa passwords db for 20k users.
>> # for i in {1..20000}; do echo "user${i}:$(openssl passwd -apr1
>> pass${i})" >> /usr/local/squid35/etc/passwd; done
>>
>
> This test *will* fail when "htpasswd -db" is used to generate the
> password file from those password strings. Notice that the test 'i'
> values of 10000+ create passwords like "pass10000" which are 9
> characters long.
>
> The htpasswd -d uses DES encryption which has an 8 character limit on
> password length. It will *silently* truncate the password to the first
> 8
> characters.
>
> Recent basic_ncsa_auth helper versions will detect and reject
> authentication using DES algorithm when password is longer than 8
> characters.
Thanks. I found the relevant commit 11632 [1] and the associated bug
report 3107 [2] discussion.
I have a question, maybe there should be an optional argument which
could be used to permit old behavior? For example, Apache HTTP server
still permits passwords longer then 8 characters.
[1] http://bazaar.launchpad.net/~squid/squid/5/revision/11632
[2] http://bugs.squid-cache.org/show_bug.cgi?id=3107
Garri
More information about the squid-users
mailing list