Hi!

I am using auth_param basic program /usr/lib/squid/squid_ldap_auth to authenticate users using squid from ldap. The user and pass is in clear text over the network between the browser and the squid server. Any way to send it in an encrypted format??

any pointers/suggestions would be highly appreciated

regards

Hi!,

I have tried the following

auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com -p 636 -Z
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com -p 636 -Z


auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h -H ldaps://host.domain.com -p 636
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldaps://host.domain.com -p 636


auth_param basic program /usr/lib/squid/squid_ldap_auth -Z -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -Z -v 3 -b "ou=Users,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com

auth_param basic children 10
auth_param basic realm MyNetwork
auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 10 seconds
acl proxy external ldap_group grp1
acl localhost1 proxy_auth 127.0.0.1/32
acl authenticated proxy_auth REQUIRED


but the problem remains the same.. the user and pass is still being sent in clear text between the user browser and proxy server. I think it may have something to do with the basic auth mechanism being used or I may be wrong.

Any pointers would be highly appreciated.

Moving from digest auth... below are 02 tests.. what I would like to know is

1. if using kerberos to auth from windows active directory, having ntlm as a fall back method for clients that donot support kerberos auth, will it fall back to ntlm auth??

2. both in kerberos and ntlm, is the user and pass sent from client browser to squid and squid to KDC/AD encrypted uniquely??

3. Can a user/pass be sniffed with a simple tool like wireshark on the network using any tools to decrypt??

4. kerberos and ntlm.. which is more prone to man in the middle attack?


The 02 settings are as follows for your kind perusal

---------------------------------------------------------------------------------------------------------------
Test 1

auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/proxy.me@me.com
auth_param negotiate children 15
auth_param negotiate keep_alive on

auth_param ntlm program /usr/local/bin/ntlm_auth -d 0 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15

auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 25
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

-------------------------------------------------------------------------------------------------------

Test 2

auth_param negotiate program /usr/sbin/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
----------------------------------------------------------------

regards