[squid-users] Secure basic authentication on Squid
Amos Jeffries
squid3 at treenet.co.nz
Mon Dec 4 17:05:45 UTC 2017
On 05/12/17 04:42, Colle Christophe wrote:
> Hello!
>
> I am currently using Squid for internet access. Currently, "basic"
> authentication on an LDAP directory is configured to identify users. The
> problem is that the password is sent in clear (base64) and I am looking
> for a solution to secure it.
>
> I tested the "Digest" mode, but the result is inconclusive because you
> have to modify the LDAP directory with an attribute containing the hash
> of the password. The directory can not be modified in our case.
Should not have to. The helper should be able to treat the LDAP as
containing the username+password in clear text and do all the hashing
itself as needed.
(NP: I'm not sure why some of the documentation for digest_ldap_auth
says "(REQUIRED)" on the -e option. It is an option because you get to
choose whether it is done that way or not.)
>
> Is there a solution to secure the "basic" authentication of squid? (with
> an SSL certificate for example).
Plain text username+password is what "Basic" means. There are ways to
secure the credentials values by using one-time passwords but it is very
rare for client software to support that kind of thing. Normally they
only support the standard Basic credentials.
"Digest" is an entirely different authentication protocol which has
several modes of use from very weak to reasonably strong security.
Though in my experience Browsers screw up quite often with the strong
security mode.
"SSL certificate" - if by that you mean TLS client certificates, is part
of TLS and has nothing to do with HTTP. Squid does support those for
securing TLS connections to the proxy, but I'm not sure how well using
them as user credentials is.
Amos
More information about the squid-users
mailing list