PfSense 2.2 : squid3 3.4.10_2 pkg 0.2.6 - Local Auth problem



  • I upgraded from from 2.1.5 to 2.2.  The only add on package I'm using is Squid3 3.4.10_2 pkg 0.2.6, which is configured for local user authentication.

    After the upgrade none of my proxy users could authenticate.  I figured out that all of the passwords in /var/etc/squid.passwd had been saved as DES instead of MD5.  According to the man page for ncsa_auth, DES doesn't support passwords longer than 8 characters, and all of my passwords are longer than that.

    I created a new squid.passwd with htpasswd on another machine and copied it into place.  Proxy users can authenticate again, but each time I change the Squid settings, I have to remember to copy the squid.passwd file back into place.

    How can I get the passwords to use MD5 again?



  • Hi, I'm facing the same situation here.

    If I type only the first 8 chars at browser prompt it works.

    No idea how to fix it.

    regards.



  • It looks like it has to do with PHP "crypt" function..



  • I realised the in either 2.1.5 and 2.2 or even 2.2.1 they crypt the password the same way, aparentely using DES.

    The difference is the the squid auth helper in 2.1.5 seems to consider only the first 8 chars, so it works, but on 2.2 and beyond it seems to consider the whole string we type at the prompt, so when it exceeds the 8 characters it doesn't work.

    Anyone has any solution?

    Regards



  • I managed to get it working with MD5 passwords by editing /usr/local/pkg/squid.inc

    At line #1832 replaced:

    $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n";

    By

    $contents .= $user['username'] . ':' . crypt($user['password'], '$1$'.substr(base64_encode(rand()), 0, 8).'$') . "\n";

    It seens that it needs to format a 12 characters salt for the MD5 crypt to work.

    Please test it if you can.



  • Hey,

    I have the same issues, but changing does not help.

    Where can I say to squid which password encryption to use. NCSA does not work even with password shorter than 8 Letters.

    I created a Test-User with the Password 1250 , in squid.passwd it says XXX:MTw.cMyHRyhkM
    but I can not authenticate….

    EDIT: https://forum.pfsense.org/index.php?topic=91780.msg507913#msg507913
    I had the same missinfg link, but after correcting that error it does not work either....

    Whats wrong? Help is very much apreciated!

    Thanks, flomow



  • :push: (TM)

    Am I the only one facing this problem?

    Thanks, flomow



  • @fdts:

    I managed to get it working with MD5 passwords by editing /usr/local/pkg/squid.inc

    At line #1832 replaced:

    $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n";

    By

    $contents .= $user['username'] . ':' . crypt($user['password'], '$1$'.substr(base64_encode(rand()), 0, 8).'$') . "\n";

    It seens that it needs to format a 12 characters salt for the MD5 crypt to work.

    Please test it if you can.

    This works for me too.
    Thank you.


  • Banned

    There's no MD5, there's DES. See crypt() docs It silently truncates passwords to 8 chars - read e.g. here: http://www.certpal.com/blogs/2010/05/crypt-des-and-8-character-truncated-passwords/

    I cannot see how the patch here adding some MD5 salt nonsense to DES would work for anyone, just doesn't make sense. Perhaps if your replaced crypt() with md5(), it'd actually do something meaningful?!


Log in to reply