Squid User Auth Encrypt?

Protecting your Linux box
Post Reply
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Squid User Auth Encrypt?

Post by sevensins »

Salaam,

I am using auth_param basic program /usr/lib/squid/squid_ldap_auth to authenticate users using squid from ldap. The user and pass is in clear text over the network. Any way to send it in an encrypted format??

any pointers/suggestions would be highly appreciated

regards
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

if your ldap server supports tls, add a '-Z' parameter to squid_ldap_auth. read its man page.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Post by sevensins »

Hi!,

I have tried the following

auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com -p 636 -Z
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com -p 636 -Z


auth_param basic program /usr/lib/squid/squid_ldap_auth -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h -H ldaps://host.domain.com -p 636
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -v 3 -b "ou=Groups,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h ldaps://host.domain.com -p 636


auth_param basic program /usr/lib/squid/squid_ldap_auth -Z -v 3 -b "dc=domain,dc=com" -f "uid=%s" -h host.domain.com
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -Z -v 3 -b "ou=Users,dc=domain,dc=com" -f "(&(cn=%g)(memberUid=%u))" -h host.domain.com

auth_param basic children 10
auth_param basic realm MyNetwork
auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 10 seconds
acl proxy external ldap_group grp1
acl localhost1 proxy_auth 127.0.0.1/32
acl authenticated proxy_auth REQUIRED


but the problem remains the same.. the user and pass is still being sent in clear text between the user browser and proxy server. I think it may have something to do with the basic auth mechanism being used or I may be wrong.

Any pointers would be highly appreciated.
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

the user and pass is still being sent in clear text between the user browser and proxy server.
if your concern was the communication between the browser and squid, why didn't you mention this in your original post? by mentioning squid and ldap, it sounds exactly as if you're trying to prevent squid from talking to the ldap server unencrypted. who cares how you authenticate users on the squid side? it's not relevant at all.

switch to digest authentication.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Post by sevensins »

As the ldap server is also used for email and desktop user authamong other services, the user and pass are in plain text over network thus can be sniffed with a simple wireshark scan
The connection between squid and ldap switched to secure connections with the help you extended.

Yes switched to digest auth.. Will report back on the outcome.
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Post by sevensins »

Salaam All,

Moving from digest auth... below are 02 tests.. what I would like to know is

1. if using kerberos to auth from windows active directory, having ntlm as a fall back method for clients that donot support kerberos auth, will it fall back to ntlm auth??

2. both in kerberos and ntlm, is the user and pass sent from client browser to squid and squid to KDC/AD encrypted uniquely??

3. Can a user/pass be sniffed with a simple tool like wireshark on the network using any tools to decrypt??

4. kerberos and ntlm.. which is more prone to man in the middle attack?


The 02 settings are as follows for your kind perusal

---------------------------------------------------------------------------------------------------------------
Test 1

auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/proxy.me@me.com
auth_param negotiate children 15
auth_param negotiate keep_alive on

auth_param ntlm program /usr/local/bin/ntlm_auth -d 0 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15

auth_param basic program /usr/local/libexec/squid/pam_auth
auth_param basic children 25
auth_param basic realm Squid[Kamtelecom]
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

-------------------------------------------------------------------------------------------------------

Test 2

auth_param negotiate program /usr/sbin/squid_kerb_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
----------------------------------------------------------------
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

your digest or basic auth settings in squid have nothing to do with how you authenticate users. all digest auth does is protect the communication between the client browser and squid.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
sevensins
Havaldaar
Posts: 117
Joined: Tue Apr 13, 2004 1:45 pm
Location: PAKISTAN
Contact:

Post by sevensins »

alright so this is what I understand.

auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/proxy.me@me.com
auth_param negotiate children 15
auth_param negotiate keep_alive on

auth_param ntlm program /usr/local/bin/ntlm_auth -d 0 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15

auth_param digest program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
auth_param digest program

acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth
http_access deny all

will ensure that no clear text user/pass is sent over the network from browser to squid and squid to the KDC/AD and viseversa. :)
Regards,

-----------------------------------------------------------------
A wise monkey never monkies w/ another monkey's monkey!
Post Reply