[Freeipa-users] Re: Squid proxy digest authentication

[Edward Valley via FreeIPA-users]

You're right, that's one of the options I've considered and tested, but going that way I need to setup several things, use a PAC file in order to Firefox and Chrome to work, take into account mobile versions too, configure browsers to trust the proxy's certificate, optionally install a client certificate in browsers (which firefox for Android can't do) and have the proxy to verify it, among other things that would require a PKI infrastructure that I'm not willing to deploy (for now). Trust me, I went through all of this, and it is secure enough, but it has a few pitfalls that right now (without coding) there is no way to solve. But, don't you think kerberos authentication is a simpler and secure enough approach? For now, I'm just trying to migrate to FreeIPA (because it fit my needs and I think it's a better and tightly integrated solution) an existing OpenLDAP backend, which already have the required hashes and the automated way for generating it every time users change their passwords. Thank you very much for your time.

09:48, March 4, 2019, "Alexander Bokovoy via FreeIPA-users" <freeipa-users@lists.fedorahosted.org>:

On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:

Thanks for your answer. Doing it the way you propose, squid uses basic
authentication, which exposes user names and passwords in the network
because of the simple base64 encoding.

Just set up your clients to use HTTPS proxy connection in the browser.

https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
talks about it. Both Chrome-based browsers and Firefox do work just fine
with HTTPS connection to the proxy for years now.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org