PatchLog

If you use authentication in squid you have several mechanisms ( authenticators ) to chose from. The Basic authenticator is the easiest to set up and the most insecure because the client sends the username and password in plain text to the proxy server.

Instead of using the basic you would consider using the digest authenticator. This authenticator does not require the client to send the user and password in plain text but encoded in an MD5 hash so that an attacker that captures the data between the client and proxy server will not be able to use the user and password.

To use the digest authenticator you have to specifically compile it if you are compiling squid from sources. Before you compile just add --enable-auth="basic digest" to the ./configure line or after you compile squid, go to helpers/digest_auth/ and do :

make
make install

If you are using Fedora then the digest authenticator is already compiled and the program is located at /usr/lib/squid/digest_pw_auth

If you are using squid from ports on freebsd then the program will be compiled by default and installed at /usr/local/libexec/squid/digest_pw_auth

If you emerge squid on gentoo the program will be compiled by default and installed at /usr/libexec/squid/digest_pw_auth

Now for the configuration part the default squid.conf gives almost all the info we need. I say almost because it does not say much about the format of the file where you have to store the passwords:

#"program" cmdline
# Specify the command for the external authenticator. Such a program
# reads a line containing "username":"realm" and replies with the
# appropriate H(A1) value hex encoded or ERR if the user (or his H(A1)
# hash) does not exists. See RFC 2616 for the definition of H(A1).
# "ERR" responses may optionally be followed by a error description
# available as %m in the returned error page.

I did not want to read the whole RFC 2616 just to find the definition of H(A1) so I looked in squid source at digest_pw_auth.c right in the header :

* To avoid storing a plaintext
* password you can calculate MD5(username:realm:password) when the
* user changes their password, and store the tuple username:realm:HA1.
* then find the matching username:realm when squid asks for the
* HA1.

Storing encrypted ( hashed ) passwords will not really help the security that much, the part that helps security is that plain text passwords are not sent over the net, but we will store encrypted passwords anyway. HA1 is really just MD5(username:realm:password) and you have to pass the "-c" parameter to digest_pw_auth if you want to not store the plain text passwords in the file and the format to be username:realm:HA1.

The final configuration for the digest authenticator :

auth_param digest program /usr/lib/squid/digest_pw_auth -c /etc/squid/digest_passwd
auth_param digest children 5
auth_param digest realm Squid proxy-caching web server
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50

I created a small script to help me add users to /etc/squid/digest_passwd :

cat digest_user.sh

 
#!/bin/sh
 
user=$1
pass=$2
realm=$3
 
if [ -z "$1" -o -z "$2" -o -z "$3" ] ; then
        echo "Usage: $0 user password 'realm'";
        exit 1
fi
 
ha1=$(echo -n "$user:$realm:$pass"|md5sum |cut -f1 -d' ')
echo "$user:$realm:$ha1"

To add a user named test with the password 1234 to the file specified in our config I would just do :

./digest_user.sh test 1234 'Squid proxy-caching web server' >>/etc/squid/digest_passwd

Now all that's left to do is to set up the proper acls and http_access directives to allow the authenticated users to use the proxy server. I'm using this acl to match any user that can authenticate:

acl authenticated proxy_auth REQUIRED

And then this http_access directive before any other http_access directive:

http_access allow authenticated

This entry was posted on Tuesday, March 27th, 2007 at 9:03 pm and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.