<tag>auth_param ntlm, basic, digest</tag>
<p>BASIC, DIGEST: New parameter option <em>utf8 on|off</em> to permit helpers to selectively process UTF-8 characters even though
HTTP accepts only ISO-8859-1.</p>
+ <p>NCSA authenticator updated to alert if passwords with more than 8 characters are used with DES encryption method.
<p>NTLM: The helper binary bundled with Squid under the name <em>ntlm_auth</em> has been renamed to accurately reflect
its real behavior and to prevent confusion with the more useful Samba helper using the same name.
<p>Despite being used for NTLM, the helper does not in fact provide true NTLM function. What it does provide is
The only parameter is the password file. It must have permissions to be read by the user that Squid is running as (cache_effective_user in squid.conf).
.PP
This password file can be manipulated using htpasswd.
+.
+.PP
+.This authenticator accepts:
+.BR
+* MD5 - with optional salt and magic strings
+.BR
+* DES - for passwords 8 characters or less in length
+.
.SH OPTIONS
Only specify the password file name.
.SH EXAMPLE
\fBncsa_auth\fP /etc/squid/squid.pass
.SH SECURITY
\fBncsa_auth\fP must have access to the password file to be executed.
+.
+.SH KNOWN ISSUES
+.PP
+DES functionality (used by htpasswd by default) silently truncates passwords to 8 characters.
+Allowing login with password values shorter than the one desired.
+This authenticator will reject login with long passwords when using DES.
+.
.SH SEE ALSO
\fBhtpasswd\fP(1), \fBsquid\fP(8)
+.
.SH AUTHOR
Manpage written by Rodrigo Rubira Branco <rrbranco@br.ibm.com>
* - extra fields in the password file are ignored; this makes it
* possible to use a Unix password file but I do not recommend that.
*
+ * MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco
*/
#include "config.h"
if (u == NULL) {
printf("ERR No such user\n");
#if HAVE_CRYPT
- } else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+ } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+ // Bug 3107: crypt() DES functionality silently truncates long passwords.
+ printf("OK\n");
+ } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+ // Bug 3107: crypt() DES functionality silently truncates long passwords.
+ fprintf(stderr, "SECURITY ALERT: NCSA DES algorithm truncating user %s password to 8 bytes. Upgrade to MD5.", user);
+ // Highly Unsafe: permit a transition period for admin to update passwords.
printf("OK\n");
#endif
} else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
printf("OK\n");
- } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) { /* md5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco */
+ } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
printf("OK\n");
} else {
printf("ERR Wrong password\n");
projects / thirdparty / squid.git / commitdiff
