[Freeipa-users] Re: Squid proxy digest authentication

[Edward Valley via FreeIPA-users]

You're right about that too. I think squid has that covered. Actually, it's a transition solution until I'm able to fully deploy kerberos.

10:46, March 4, 2019, Rob Crittenden <rcrit...@redhat.com>:

Alexander Bokovoy wrote:

 On ma, 04 maalis 2019, Edward Valley via FreeIPA-users wrote:

 Thanks for your answer. Doing it the way you propose, squid uses
 basic       authentication, which exposes user names and passwords in
 the network        because of the simple base64
 encoding.                                      

 Just set up your clients to use HTTPS proxy connection in the browser.

 https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection

 talks about it. Both Chrome-based browsers and Firefox do work just fine
 with HTTPS connection to the proxy for years now.

Beyond the fact that the hash in the clear makes for possible replay
attacks unless Squid properly enforces nonces.

rob

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org