Linode Forum
https://forum.linode.com/

SQUID authentication accepts similar passwords :O
https://forum.linode.com/viewtopic.php?f=19&t=10234		 Page 1 of 1
Author:  sblantipodi [ Tue Jul 09, 2013 3:39 pm ]
Post subject:  SQUID authentication accepts similar passwords :O
As title,
I'm shocked.

I'm running squid on CentOS 6.4.

This are the step I used to install it:
yum install squid -y

Code:
this the squid.conf parameters:
# add auth_params
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 2
auth_param basic realm My Proxy Server
auth_param basic credentialsttl 24 hours
auth_param basic casesensitive off
# add acl rules
acl users proxy_auth REQUIRED
# http access rules
http_access deny !users
http_access allow users


some commands to configure the password:
Code:
touch /etc/squid/passwd
chown root.squid /etc/squid/passwd
chmod 640 /etc/squid/passwd
htpasswd /etc/squid/passwd username


Suppose that in the
htpasswd /etc/squid/passwd username
command I type a password like this:
ciaooaic

now when the browsers asks me for auth if I type a password like this:
ciaooaicds

the password is accepted :shock: :shock: :shock:

the passwords, clearly don't match but it is accepted.

what a crappy authentication is this?
Author:  bacon [ Tue Jul 09, 2013 3:43 pm ]
Post subject:  Re: SQUID authentication accepts similar passwords :O
Have you tried an obviously wrong password?
Author:  Nuvini [ Tue Jul 09, 2013 3:43 pm ]
Post subject:  Re: SQUID authentication accepts similar passwords :O
http://www.squid-cache.org/Advisories/SQUID-2011_2.txt
Author:  sblantipodi [ Tue Jul 09, 2013 3:56 pm ]
Post subject:  Re: SQUID authentication accepts similar passwords :O
Nuvini wrote:
http://www.squid-cache.org/Advisories/SQUID-2011_2.txt


from that note it seems that with Squid 3.1 it is possible to workaround the problem using
the
htpasswd -m /etc/squid/passwd username

in this way, I'm not able to authenticate anymore... :|
Author:  sblantipodi [ Tue Jul 09, 2013 4:10 pm ]
Post subject:  Re: SQUID authentication accepts similar passwords :O
in the file you linked me is wrote that Squid 3.3 fixed this problem,
I installed squid 3.3.6 and I have the same problem. :roll:
Author:  rsk [ Wed Jul 10, 2013 4:14 pm ]
Post subject:  Re: SQUID authentication accepts similar passwords :O
If you'll create a passwordfile with "htpasswd", it uses crypt(), and that saves only first eight characters.

If you'll create a passwordfile with "htpasswd -m" uses md5 that saves whole password.
Note that usually all passwords in the file need to be in the same format for anything to work.

Glancing at the .txt, the MD5 option works both with Squid 3.1 and 3.3.

So, maybe rename the old passwordfile, create a new one and make a user entry...
Code:
% mv sqpasswd old.sqpasswd
% touch sqpasswd
% htpasswd -m sqpasswd username


Code:
% cat sqpasswd
username:$apr1$blAHBLah1234


The $apr1$ part is the MD5-encoding marker.

Then maybe restart squid just in case, and try to authenticate.
Author:  sblantipodi [ Thu Jul 11, 2013 9:09 am ]
Post subject:  Re: SQUID authentication accepts similar passwords :O
at the end I solve using the
auth_param digest program /usr/lib64/squid/digest_file_auth -c /etc/squid/users
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/