Project

General

Profile

Actions
Copy link

Bug #6681

closed

Squid local auth password handling is weak and only accepting short passwords

Added by Jim Pingle over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Squid
Target version:
-
Start date:
08/04/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

The password handling in squid for local auth is using crypt() with default settings and cutting off passwords short (which is expected due to the weak defaults of crypt)

Needs beefed up a bit and tested.

Actions
Copy link
 #1

Updated by Jim Pingle over 7 years ago

  • Status changed from Assigned to Feedback

I just pushed a fix to change this to SHA512, which is working well even with long passwords (I only tried up to 32 chars though).

I tried blowfish first, but squid wouldn't accept passwords hashed that way.

Actions
Copy link
 #2

Updated by Steve Wheeler over 7 years ago

Tested this with a long password that failed in 0.4.21.

Works as expected in 0.4.22. Rejects incorrect password. Rejects truncated password. Accepts full password.

Actions
Copy link
 #3

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Resolved

Tested and working here as well

Actions
Copy link

Also available in: Atom PDF