Actions
Bug #6681
closedSquid local auth password handling is weak and only accepting short passwords
Start date:
08/04/2016
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
The password handling in squid for local auth is using crypt() with default settings and cutting off passwords short (which is expected due to the weak defaults of crypt)
Needs beefed up a bit and tested.
Updated by Jim Pingle over 7 years ago
- Status changed from Assigned to Feedback
I just pushed a fix to change this to SHA512, which is working well even with long passwords (I only tried up to 32 chars though).
I tried blowfish first, but squid wouldn't accept passwords hashed that way.
Updated by Steve Wheeler over 7 years ago
Tested this with a long password that failed in 0.4.21.
Works as expected in 0.4.22. Rejects incorrect password. Rejects truncated password. Accepts full password.
Updated by Jim Pingle over 7 years ago
- Status changed from Feedback to Resolved
Tested and working here as well
Actions