Salaam,
I am using auth_param basic program /usr/lib/squid/squid_ldap_auth to authenticate users using squid from ldap. The user and pass is in clear text over the network. Any way to send it in an encrypted format??
any pointers/suggestions would be highly appreciated
regards
Squid User Auth Encrypt?
Squid User Auth Encrypt?
Regards,
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
if your ldap server supports tls, add a '-Z' parameter to squid_ldap_auth. read its man page.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Hi!,
I have tried the following
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com -p 636 -Z
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com -p 636 -Z
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h -H ldaps://host.domain.com -p 636
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldaps://host.domain.com -p 636
auth_param basic program /usr/lib/squid/squid_ldap_auth -Z -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -Z -v 3 -b "ou=Users,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com
auth_param basic children 10
auth_param basic realm MyNetwork
auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 10 seconds
acl proxy external ldap_group grp1
acl localhost1 proxy_auth 127.0.0.1/32
acl authenticated proxy_auth REQUIRED
but the problem remains the same.. the user and pass is still being sent in clear text between the user browser and proxy server. I think it may have something to do with the basic auth mechanism being used or I may be wrong.
Any pointers would be highly appreciated.
I have tried the following
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com -p 636 -Z
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com -p 636 -Z
auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h -H ldaps://host.domain.com -p 636
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldaps://host.domain.com -p 636
auth_param basic program /usr/lib/squid/squid_ldap_auth -Z -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -Z -v 3 -b "ou=Users,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com
auth_param basic children 10
auth_param basic realm MyNetwork
auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 10 seconds
acl proxy external ldap_group grp1
acl localhost1 proxy_auth 127.0.0.1/32
acl authenticated proxy_auth REQUIRED
but the problem remains the same.. the user and pass is still being sent in clear text between the user browser and proxy server. I think it may have something to do with the basic auth mechanism being used or I may be wrong.
Any pointers would be highly appreciated.
Regards,
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
if your concern was the communication between the browser and squid, why didn't you mention this in your original post? by mentioning squid and ldap, it sounds exactly as if you're trying to prevent squid from talking to the ldap server unencrypted. who cares how you authenticate users on the squid side? it's not relevant at all.the user and pass is still being sent in clear text between the user browser and proxy server.
switch to digest authentication.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
As the ldap server is also used for email and desktop user authamong other services, the user and pass are in plain text over network thus can be sniffed with a simple wireshark scan
The connection between squid and ldap switched to secure connections with the help you extended.
Yes switched to digest auth.. Will report back on the outcome.
The connection between squid and ldap switched to secure connections with the help you extended.
Yes switched to digest auth.. Will report back on the outcome.
Regards,
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
Salaam All,
Moving from digest auth... below are 02 tests.. what I would like to know is
1. if using kerberos to auth from windows active directory, having ntlm as a fall back method for clients that donot support kerberos auth, will it fall back to ntlm auth??
2. both in kerberos and ntlm, is the user and pass sent from client browser to squid and squid to KDC/AD encrypted uniquely??
3. Can a user/pass be sniffed with a simple tool like wireshark on the network using any tools to decrypt??
4. kerberos and ntlm.. which is more prone to man in the middle attack?
The 02 settings are as follows for your kind perusal
---------------------------------------------------------------------------------------------------------------
Test 1
auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/proxy.me@me.com
auth_param negotiate children 15
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth -d 0 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 25
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
-------------------------------------------------------------------------------------------------------
Test 2
auth_param negotiate program /usr/sbin/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
----------------------------------------------------------------
Moving from digest auth... below are 02 tests.. what I would like to know is
1. if using kerberos to auth from windows active directory, having ntlm as a fall back method for clients that donot support kerberos auth, will it fall back to ntlm auth??
2. both in kerberos and ntlm, is the user and pass sent from client browser to squid and squid to KDC/AD encrypted uniquely??
3. Can a user/pass be sniffed with a simple tool like wireshark on the network using any tools to decrypt??
4. kerberos and ntlm.. which is more prone to man in the middle attack?
The 02 settings are as follows for your kind perusal
---------------------------------------------------------------------------------------------------------------
Test 1
auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/proxy.me@me.com
auth_param negotiate children 15
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth -d 0 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 25
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
-------------------------------------------------------------------------------------------------------
Test 2
auth_param negotiate program /usr/sbin/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
----------------------------------------------------------------
Regards,
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
your digest or basic auth settings in squid have nothing to do with how you authenticate users. all digest auth does is protect the communication between the client browser and squid.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
alright so this is what I understand.
auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/proxy.me@me.com
auth_param negotiate children 15
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth -d 0 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param digest program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
auth_param digest program
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny all
will ensure that no clear text user/pass is sent over the network from browser to squid and squid to the KDC/AD and viseversa.
auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/proxy.me@me.com
auth_param negotiate children 15
auth_param negotiate keep_alive on
auth_param ntlm program /usr/local/bin/ntlm_auth -d 0 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param digest program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
auth_param digest program
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny all
will ensure that no clear text user/pass is sent over the network from browser to squid and squid to the KDC/AD and viseversa.
Regards,
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!