Squid User Auth Encrypt?

Protecting your Linux box
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Squid User Auth Encrypt?

Postby sevensins » Fri May 07, 2010 6:05 pm

Salaam,

I am using auth_param basic program /usr/lib/squid/squid_ldap_auth to authenticate users using squid from ldap. The user and pass is in clear text over the network. Any way to send it in an encrypted format??

any pointers/suggestions would be highly appreciated

regards
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Postby lambda » Fri May 07, 2010 8:31 pm

if your ldap server supports tls, add a '-Z' parameter to squid_ldap_auth. read its man page.
Watch out for the !
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?

sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Postby sevensins » Sat May 08, 2010 5:08 pm

Hi!,

I have tried the following

auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com -p 636 -Z
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com -p 636 -Z


auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h -H ldaps://host.domain.com -p 636
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldaps://host.domain.com -p 636


auth_param basic program /usr/lib/squid/squid_ldap_auth -Z -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -Z -v 3 -b "ou=Users,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com

auth_param basic children 10
auth_param basic realm MyNetwork
auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 10 seconds
acl proxy external ldap_group grp1
acl localhost1 proxy_auth 127.0.0.1/32
acl authenticated proxy_auth REQUIRED


but the problem remains the same.. the user and pass is still being sent in clear text between the user browser and proxy server. I think it may have something to do with the basic auth mechanism being used or I may be wrong.

Any pointers would be highly appreciated.
Regards,



-----------------------------------------------------------------

A wise monkey never monkies w/ another monkey's monkey!

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Postby lambda » Sun May 09, 2010 8:56 pm

Watch out for the !
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?

sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Postby sevensins » Mon May 10, 2010 1:35 am

Regards,



-----------------------------------------------------------------

A wise monkey never monkies w/ another monkey's monkey!

sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Postby sevensins » Fri May 14, 2010 10:18 pm

Salaam All,

Moving from digest auth... below are 02 tests.. what I would like to know is

1. if using kerberos to auth from windows active directory, having ntlm as a fall back method for clients that donot support kerberos auth, will it fall back to ntlm auth??

2. both in kerberos and ntlm, is the user and pass sent from client browser to squid and squid to KDC/AD encrypted uniquely??

3. Can a user/pass be sniffed with a simple tool like wireshark on the network using any tools to decrypt??

4. kerberos and ntlm.. which is more prone to man in the middle attack?


The 02 settings are as follows for your kind perusal

---------------------------------------------------------------------------------------------------------------
Test 1

auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/proxy.me@me.com
auth_param negotiate children 15
auth_param negotiate keep_alive on

auth_param ntlm program /usr/local/bin/ntlm_auth -d 0 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15

auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 25
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

-------------------------------------------------------------------------------------------------------

Test 2

auth_param negotiate program /usr/sbin/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
----------------------------------------------------------------
Regards,



-----------------------------------------------------------------

A wise monkey never monkies w/ another monkey's monkey!

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Postby lambda » Fri May 14, 2010 11:36 pm

your digest or basic auth settings in squid have nothing to do with how you authenticate users. all digest auth does is protect the communication between the client browser and squid.
Watch out for the !
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?

sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Postby sevensins » Sat May 15, 2010 2:02 am

Regards,



-----------------------------------------------------------------

A wise monkey never monkies w/ another monkey's monkey!


Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest