Squid and Digest Authentication

5221
This week I want to review Digest authentication, which is a step up from Basic proxy authentication, not the best choice but an improvement.

Digest Authentication hashes the password before transmitting over the wire. Essentially it sends a message digest generated from multiple items including username, realm and nonce value. If you want to know more see (RFC 2617). Thing to remember is both Basic and Digest are on the weak end of the authentication security spectrum. If your only choice is Basic and Digest, the lesser of two evils is Digest.

Digest is very similar to Basic from a configuration perspective. Squid uses an external helper program to facilitate the authentication process. From a Squid configuration perspective, the following pieces are required in the “OPTIONS FOR AUTHENTICATION” section of squid.conf

auth_param digest program auth_param digest children
auth_param digest realm
auth_param nonce_garbage_interval
auth_param nonce_max_duration
auth_param nonce_max_count

The following parameters are similar in nature to Basic authentication;

auth_param digest program – provide location of external helper program
auth_param digest children – number of spawned processes to facilitate user authentication requests
auth_param digest realm – string presented to user when authentication appears on screen

Digest authentication introduces the concept of a ‘nonce’ (number used once). This is a generated value (in this case generated by Squid). The client uses this value in conjunction with the password during the hashing process. Without nonce-salting, captured hashed passwords could be replayed. The ‘nonce’ value is regenerated at specified intervals to ensure its continual uniqueness.

auth_param nonce_garbage_interval – Specifies how often Squid should clean up its nonce cache
auth_param nonce_max_duration – Specified how long the nonce value remains valid
auth_param nonce_max_count –Places a limit on how many time a nonce value may be used

The last piece of this puzzle is a database of valid users and their associated password. Typically this information is in a hashed text file stored on the Squid server. You should know, Squid does not offer any capabilities for managing it, most users generate it manually or utilize scripts.

On an Ubuntu based Squid server the Digest Helper program is located in the following location;

/usr/lib/squid3/digest_pw_auth

Given above configuration paramaters, the final product should look like this;

auth_param digest program /usr/lib/squid3/digest_pw_auth –c /etc/squid3/password-file
auth_param digest children 5
auth_param digest realm My Realm
auth_param nonce_garbage_interval 5 minutes
auth_param nonce_max_duration 30 minutes
auth_param nonce_max_count 50

Don’t forget you must adjust Squid ACL’s. The procedure is identical to Basic Auth reviewed last week.

Regarding the password file, it should be hashed to keep prying eyes off user passwords. By the way “-c” in above program parameter means you’re specifying the location of a hashed password file.

This concludes Digest authentication, don’t forget to restart your proxy server. Next week I’ll talk about NTLM authentication, since most of you are using Windows networks.

To find out more visit: www.digitalboundary.net/wp