SQUID authentication accepts similar passwords :O
I'm running squid on CentOS 6.4.
This are the step I used to install it:
yum install squid -y
this the squid.conf parameters: # add auth_params auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd auth_param basic children 2 auth_param basic realm My Proxy Server auth_param basic credentialsttl 24 hours auth_param basic casesensitive off # add acl rules acl users proxy_auth REQUIRED # http access rules http_access deny !users http_access allow users
some commands to configure the password:
touch /etc/squid/passwd chown root.squid /etc/squid/passwd chmod 640 /etc/squid/passwd htpasswd /etc/squid/passwd username
Suppose that in the
htpasswd /etc/squid/passwd username
command I type a password like this:
now when the browsers asks me for auth if I type a password like this:
the password is accepted
the passwords, clearly don't match but it is accepted.
what a crappy authentication is this?
from that note it seems that with Squid 3.1 it is possible to workaround the problem using
htpasswd -m /etc/squid/passwd username
in this way, I'm not able to authenticate anymore…
I installed squid 3.3.6 and I have the same problem.
If you'll create a passwordfile with "htpasswd -m" uses md5 that saves whole password.
Note that usually all passwords in the file need to be in the same format for anything to work.
Glancing at the .txt, the MD5 option works both with Squid 3.1 and 3.3.
So, maybe rename the old passwordfile, create a new one and make a user entry…
% mv sqpasswd old.sqpasswd % touch sqpasswd % htpasswd -m sqpasswd username
% cat sqpasswd username:$apr1$blAHBLah1234
The $apr1$ part is the MD5-encoding marker.
Then maybe restart squid just in case, and try to authenticate.