Home Linux Community Community Blogs Personal Squid and Digest Authentication

Squid and Digest Authentication

This week I want to review Digest authentication, which is a step up from Basic proxy authentication, not the best choice but an improvement. Digest Authentication hashes the password before transmitting over the wire. Essentially it sends a message digest generated from multiple items including username, realm and nonce value. If you want to know more see (RFC 2617). Thing to remember is both Basic and Digest are on the weak end of the authentication security spectrum. If your only choice is Basic and Digest, the lesser of two evils is Digest. Digest is very similar to Basic from a configuration perspective. Squid uses an external helper program to facilitate the authentication process. From a Squid configuration perspective, the following pieces are required in the “OPTIONS FOR AUTHENTICATION” section of squid.conf auth_param digest program auth_param digest children auth_param digest realm auth_param nonce_garbage_interval auth_param nonce_max_duration auth_param nonce_max_count The following parameters are similar in nature to Basic authentication; auth_param digest program - provide location of external helper program auth_param digest children – number of spawned processes to facilitate user authentication requests auth_param digest realm – string presented to user when authentication appears on screen Digest authentication introduces the concept of a ‘nonce’ (number used once). This is a generated value (in this case generated by Squid). The client uses this value in conjunction with the password during the hashing process. Without nonce-salting, captured hashed passwords could be replayed. The ‘nonce’ value is regenerated at specified intervals to ensure its continual uniqueness. auth_param nonce_garbage_interval – Specifies how often Squid should clean up its nonce cache auth_param nonce_max_duration – Specified how long the nonce value remains valid auth_param nonce_max_count –Places a limit on how many time a nonce value may be used The last piece of this puzzle is a database of valid users and their associated password. Typically this information is in a hashed text file stored on the Squid server. You should know, Squid does not offer any capabilities for managing it, most users generate it manually or utilize scripts. On an Ubuntu based Squid server the Digest Helper program is located in the following location; /usr/lib/squid3/digest_pw_auth Given above configuration paramaters, the final product should look like this; auth_param digest program /usr/lib/squid3/digest_pw_auth –c /etc/squid3/password-file auth_param digest children 5 auth_param digest realm My Realm auth_param nonce_garbage_interval 5 minutes auth_param nonce_max_duration 30 minutes auth_param nonce_max_count 50 Don’t forget you must adjust Squid ACL’s. The procedure is identical to Basic Auth reviewed last week. Regarding the password file, it should be hashed to keep prying eyes off user passwords. By the way “-c” in above program parameter means you’re specifying the location of a hashed password file. This concludes Digest authentication, don’t forget to restart your proxy server. Next week I’ll talk about NTLM authentication, since most of you are using Windows networks. To find out more visit:


Subscribe to Comments Feed

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board