ons 2006-04-05 klockan 21:44 -0400 skrev Scott Ehrlich: > I am trying to establish blank passwords for some squid accounts, using > htpasswd /etc/squid/squid_passwd name_of_user > > When prompted for a password, I just hit enter twice. The squid_passwd file > still shows an encrypted password. I've tried to delete it, leaving just > the > username and colon, but I cannot seem to get a blank password.
Even a blank password has a hash looking just the same as a non-blank password hash. > What is the magic? You will need to change the source somewhat. Both Squid and ncsa_auth denies blank passwords without even looking into the password file. The attached patch should "fix" this for ncsa_auth. Make sure to read squid.conf.default after applying the patch as it adds a new auth_param basic option for enabling blank passwords. Regards Henrik
Index: helpers/basic_auth/NCSA/ncsa_auth.c
===================================================================
RCS file: /cvsroot/squid/squid/helpers/basic_auth/NCSA/ncsa_auth.c,v
retrieving revision 1.1.2.4
diff -u -p -r1.1.2.4 ncsa_auth.c
--- helpers/basic_auth/NCSA/ncsa_auth.c 22 Apr 2005 20:29:29 -0000 1.1.2.4
+++ helpers/basic_auth/NCSA/ncsa_auth.c 6 Apr 2006 12:14:09 -0000
@@ -126,14 +126,13 @@ main(int argc, char **argv)
change_time = sb.st_mtime;
}
}
- if ((user = strtok(buf, " ")) == NULL) {
- printf("ERR\n");
- continue;
- }
- if ((passwd = strtok(NULL, "")) == NULL) {
+ user = buf;
+ passwd = strchr(buf, ' ');
+ if (!passwd) {
printf("ERR\n");
continue;
}
+ *passwd++ = '\0';
rfc1738_unescape(user);
rfc1738_unescape(passwd);
u = hash_lookup(hash, user);
Index: src/cf.data.pre
===================================================================
RCS file: /cvsroot/squid/squid/src/cf.data.pre,v
retrieving revision 1.245.2.104
diff -u -p -r1.245.2.104 cf.data.pre
--- src/cf.data.pre 25 Feb 2006 23:01:45 -0000 1.245.2.104
+++ src/cf.data.pre 6 Apr 2006 12:14:10 -0000
@@ -1357,6 +1357,11 @@ DOC_START
makes a big difference for user_max_ip ACL processing and similar.
auth_param basic casesensitive off
+ "blankpassword" on|off
+ Specifies if blank passwords should be supported. Defaults to off
+ as there is multiple authentication backends which handles blank
+ passwords as "guest" access.
+
=== Parameters for the digest scheme follow ===
"program" cmdline
Index: src/auth/basic/auth_basic.c
===================================================================
RCS file: /cvsroot/squid/squid/src/auth/basic/auth_basic.c,v
retrieving revision 1.14.2.10
diff -u -p -r1.14.2.10 auth_basic.c
--- src/auth/basic/auth_basic.c 22 Apr 2005 20:29:31 -0000 1.14.2.10
+++ src/auth/basic/auth_basic.c 6 Apr 2006 12:14:10 -0000
@@ -313,11 +313,12 @@ authBasicCfgDump(StoreEntry * entry, con
storeAppendPrintf(entry, " %s", list->key);
list = list->next;
}
- storeAppendPrintf(entry, "\n%s %s realm %s\n%s %s children %d\n%s %s credentialsttl %d seconds\n%s %s casesensitive %s\n",
+ storeAppendPrintf(entry, "\n%s %s realm %s\n%s %s children %d\n%s %s credentialsttl %d seconds\n%s %s casesensitive %s\n%s %s blankpassword %s\n",
name, "basic", config->basicAuthRealm,
name, "basic", config->authenticateChildren,
name, "basic", (int) config->credentialsTTL,
- name, "basic", config->casesensitive ? "on" : "off");
+ name, "basic", config->casesensitive ? "on" : "off",
+ name, "basic", config->blankpassword ? "on" : "off");
}
@@ -348,6 +349,8 @@ authBasicParse(authScheme * scheme, int
parse_time_t(&basicConfig->credentialsTTL);
} else if (strcasecmp(param_str, "casesensitive") == 0) {
parse_onoff(&basicConfig->casesensitive);
+ } else if (strcasecmp(param_str, "blankpassword") == 0) {
+ parse_onoff(&basicConfig->blankpassword);
} else {
debug(28, 0) ("unrecognised basic auth scheme parameter '%s'\n", param_str);
}
@@ -462,7 +465,7 @@ authenticateBasicDecodeAuth(auth_user_re
proxy_auth);
local_basic.passwd = NULL;
auth_user_request->message = xstrdup("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
- } else if (*cleartext == '\0') {
+ } else if (*cleartext == '\0' && !basicConfig->blankpassword) {
debug(29, 4) ("authenticateBasicDecodeAuth: Disallowing empty password,"
"user is '%s'\n", local_basic.username);
local_basic.passwd = NULL;
Index: src/auth/basic/auth_basic.h
===================================================================
RCS file: /cvsroot/squid/squid/src/auth/basic/auth_basic.h,v
retrieving revision 1.3.2.2
diff -u -p -r1.3.2.2 auth_basic.h
--- src/auth/basic/auth_basic.h 17 Jul 2004 19:53:25 -0000 1.3.2.2
+++ src/auth/basic/auth_basic.h 6 Apr 2006 12:14:10 -0000
@@ -42,6 +42,7 @@ struct _auth_basic_config {
wordlist *authenticate;
time_t credentialsTTL;
int casesensitive;
+ int blankpassword;
};
typedef struct _auth_basic_config auth_basic_config;
signature.asc
Description: Detta är en digitalt signerad meddelandedel
