From: Amos Jeffries Date: Sat, 27 Aug 2011 07:03:26 +0000 (-0600) Subject: Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes X-Git-Tag: SQUID_3_1_15~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac4127c59cf8faee5cc28604617b25d42e0294ad;p=thirdparty%2Fsquid.git Bug 3107: ncsa_auth DES silently truncates passwords to 8 bytes --- diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml index 2ca8b65613..0e099b52c5 100644 --- a/doc/release-notes/release-3.1.sgml +++ b/doc/release-notes/release-3.1.sgml @@ -1010,6 +1010,7 @@ NOCOMMENT_START auth_param ntlm, basic, digest

BASIC, DIGEST: New parameter option utf8 on|off to permit helpers to selectively process UTF-8 characters even though HTTP accepts only ISO-8859-1.

+

NCSA authenticator updated to alert if passwords with more than 8 characters are used with DES encryption method.

NTLM: The helper binary bundled with Squid under the name ntlm_auth has been renamed to accurately reflect its real behavior and to prevent confusion with the more useful Samba helper using the same name.

Despite being used for NTLM, the helper does not in fact provide true NTLM function. What it does provide is diff --git a/helpers/basic_auth/NCSA/ncsa_auth.8 b/helpers/basic_auth/NCSA/ncsa_auth.8 index 85da640986..a818ba431c 100644 --- a/helpers/basic_auth/NCSA/ncsa_auth.8 +++ b/helpers/basic_auth/NCSA/ncsa_auth.8 @@ -26,13 +26,29 @@ ncsa_auth \- NCSA httpd-style password file authentication helper for Squid The only parameter is the password file. It must have permissions to be read by the user that Squid is running as (cache_effective_user in squid.conf). .PP This password file can be manipulated using htpasswd. +. +.PP +.This authenticator accepts: +.BR +* MD5 - with optional salt and magic strings +.BR +* DES - for passwords 8 characters or less in length +. .SH OPTIONS Only specify the password file name. .SH EXAMPLE \fBncsa_auth\fP /etc/squid/squid.pass .SH SECURITY \fBncsa_auth\fP must have access to the password file to be executed. +. +.SH KNOWN ISSUES +.PP +DES functionality (used by htpasswd by default) silently truncates passwords to 8 characters. +Allowing login with password values shorter than the one desired. +This authenticator will reject login with long passwords when using DES. +. .SH SEE ALSO \fBhtpasswd\fP(1), \fBsquid\fP(8) +. .SH AUTHOR Manpage written by Rodrigo Rubira Branco diff --git a/helpers/basic_auth/NCSA/ncsa_auth.c b/helpers/basic_auth/NCSA/ncsa_auth.c index 27bf3918f4..ac98b1841a 100644 --- a/helpers/basic_auth/NCSA/ncsa_auth.c +++ b/helpers/basic_auth/NCSA/ncsa_auth.c @@ -15,6 +15,7 @@ * - extra fields in the password file are ignored; this makes it * possible to use a Unix password file but I do not recommend that. * + * MD5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco */ #include "config.h" @@ -144,12 +145,18 @@ main(int argc, char **argv) if (u == NULL) { printf("ERR No such user\n"); #if HAVE_CRYPT - } else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { + } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { + // Bug 3107: crypt() DES functionality silently truncates long passwords. + printf("OK\n"); + } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { + // Bug 3107: crypt() DES functionality silently truncates long passwords. + fprintf(stderr, "SECURITY ALERT: NCSA DES algorithm truncating user %s password to 8 bytes. Upgrade to MD5.", user); + // Highly Unsafe: permit a transition period for admin to update passwords. printf("OK\n"); #endif } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) { printf("OK\n"); - } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) { /* md5 without salt and magic strings - Added by Ramon de Carvalho and Rodrigo Rubira Branco */ + } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) { printf("OK\n"); } else { printf("ERR Wrong password\n");