On Fri, 2003-07-11 at 13:18, Adam Aube wrote: > >Digest, per se, doesn't require clear text password storage. > >Squids supplied helper uses cleartext, but that is simply -a- > >implementation. Squid itself never needs the cleartext password. > > Technically, yes - digest auth does not require the password to be > stored in cleartext. However, as you pointed out, the Squid-supplied > helper does, and I know of no other digest helper for Squid.
Well, there's a little project then :}. In point of fact, in 3.0 squid can read pre-digested passwords in the supplied helper. > Furthermore, since knowledge of the clear text password is needed > to verify the digest sent, the password would need to be stored either > in clear text or reversible encryption - unless I completely misunderstand > how digest auth works (which is also quite possible). You completely misunderstand how digest auth works. See RFC 2617 for the spec.. > Digest could be improved upon by using a hash of the password instead > of the password itself. Digest -does- use a hash of the password. It' uses the MD5 of the password, to be precise. (Thats Message Digest - thus the name) Mozilla, IE, squid, apache, all use the MD5 - no cleartext passwords are used for either verification or over the wire. What is needed to verify the password is the HHA1 (see the spec), which is MD5(user:realm:password) - possibly combined with one time nonces from the client and the server (thats md5-sess, which we don't support (yet)). Once you have HHA1, then you can issue challenges and verify responses, without knowledge of the password. Rob -- GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.
signature.asc
Description: This is a digitally signed message part
