--------------------- PatchSet 1255 Date: 2001/01/10 12:02:42 Author: rbcollins Branch: auth_digest Tag: (none) Log: update auth linbe, add documentation Members: src/auth/digest/helpers/password/digest_pw_auth.c:1.1.2.1->1.1.2.2 Index: squid/src/auth/digest/helpers/password/digest_pw_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/auth/digest/helpers/password/Attic/digest_pw_auth.c,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -u -r1.1.2.1 -r1.1.2.2 --- squid/src/auth/digest/helpers/password/digest_pw_auth.c 8 Jan 2001 01:58:11 -0000 1.1.2.1 +++ squid/src/auth/digest/helpers/password/digest_pw_auth.c 10 Jan 2001 12:02:42 -0000 1.1.2.2 @@ -1,19 +1,27 @@ /* - * ncsa_auth.c + * digest_pw_auth.c * - * AUTHOR: Arjan de Vet + * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet * - * Example authentication program for Squid, based on the original + * Example digest authentication program for Squid, based on the original * proxy_auth code from client_side.c, written by * Jon Thackray . * - * Uses a NCSA httpd style password file for authentication with the - * following improvements suggested by various people: - * * - comment lines are possible and should start with a '#'; * - empty or blank lines are possible; - * - extra fields in the password file are ignored; this makes it - * possible to use a Unix password file but I do not recommend that. + * - file format is username:password + * + * To build a directory integrated backend, you need to be able to + * calculate the HA1 returned to squid. To avoid storing a plaintext + * password you can calculate MD5(username:realm:password) when the user changes their + * password, and store the tuple username:realm:HA1. then find the matching + * username:realm when squid asks for the HA1. + * + * This implementation could be improved by using such a triple for the file format. + * However storing such a triple does little to improve security: If compromised the + * username:realm:HA1 combination is "plaintext equivalent" - for the purposes of + * digest authentication they allow the user access. Password syncronisation + * is not tackled by digest - just preventing on the wire compromise. * */ @@ -144,9 +152,6 @@ } else { DigestCalcHA1("md5",user,realm,u->passwd, NULL, NULL, HA1, HHA1); printf("%s\n",HHA1); -// CvtBin(HHA1,THA1); -// CvtHex(THA1,THHA1); -// printf("%s\n",THHA1); } } exit(0);