[squid-users] Tutorial for better authentication than basic

j m acctforjunk at yahoo.com
Tue May 2 11:20:52 UTC 2017


Also good information to know.  I'll check into this.  
I'm still finding my way through this and the next step is getting SSH to work over it....no luck with that yet.

      From: Amos Jeffries <squid3 at treenet.co.nz>
 To: squid-users at lists.squid-cache.org 
 Sent: Monday, May 1, 2017 7:06 PM
 Subject: Re: [squid-users] Tutorial for better authentication than basic
   
On 02/05/17 09:04, j m wrote:
> Wow, I didn't find that one.  Not super secure, but better than clear 
> text and I'm not too worried about someone sniffing my packets.
>

The security level with Digest depends on the nonce lifetime and reuse 
counter, both of which you can tune to your liking. The shorter those 
are the more secure, up to the point where it is a purely one-time 
token. That said, some clients (most often browsers) have big trouble 
managing nonces in correct order and with dozens of connections open to 
the proxy - and then there are Squid bugs. So tuning those is not as 
easy as it should be.

NTLM does not work over the Internet. Kerberos might, but not very well. 
They are connection-oriented authentication schemes designed for use in 
LAN environments. So for your described situation they are not useful 
even if you were willing to open the ports.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170502/6cda908c/attachment.html>


More information about the squid-users mailing list