Bug#920007: squid: basic_ncsa_auth username case sensitivity

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#920007: squid: basic_ncsa_auth username case sensitivity

Matsievskiy S.V.
Package: squid
Version: 4.4-1
Severity: normal

Dear Maintainer,

I was configuring basic_ncsa_auth authentication in squid and could not get it to work.
Eventually I decided to check input of basic_ncsa_auth and replaced it with custom script:

#!/bin/bash
cat $@ > /tmp/args
cat > /tmp/stdin

After output examination, I learned that squid converts all characters to lowercase.
In my case, login had uppercase characters in it. So call to basic_ncsa_auth never succeeded.

In my opinion either squid should not convert characters to lowercase, or it should be clearly stated somewhere that uppercase characters are not allowed.

tldr: basic_ncsa_auth option does not support usernames with uppercase characters.

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.12-custom (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages squid depends on:
ii  adduser                  3.118
ii  libc6                    2.28-5
ii  libcap2                  1:2.25-1.2
ii  libcom-err2              1.44.5-1
ii  libdb5.3                 5.3.28+dfsg1-0.2
ii  libdbi-perl              1.642-1+b1
ii  libecap3                 1.0.1-3.2
ii  libexpat1                2.2.6-1
ii  libgcc1                  1:8.2.0-14
ii  libgnutls30              3.6.5-2
ii  libgssapi-krb5-2         1.16.2-1
ii  libkrb5-3                1.16.2-1
ii  libldap-2.4-2            2.4.47+dfsg-2
ii  libltdl7                 2.4.6-6
ii  libnetfilter-conntrack3  1.0.7-1
ii  libnettle6               3.4.1~rc1-1
ii  libpam0g                 1.1.8-4
ii  libsasl2-2               2.1.27~rc8-1
ii  libstdc++6               8.2.0-14
ii  libxml2                  2.9.4+dfsg1-7+b3
ii  logrotate                3.14.0-4
ii  lsb-base                 10.2018112800
ii  netbase                  5.5
ii  squid-common             4.4-1

Versions of packages squid recommends:
ii  ca-certificates  20180409
ii  libcap2-bin      1:2.25-1.2

Versions of packages squid suggests:
pn  resolvconf   <none>
ii  smbclient    2:4.9.4+dfsg-1
pn  squid-cgi    <none>
pn  squid-purge  <none>
pn  squidclient  <none>
ii  ufw          0.36-1
pn  winbindd     <none>

-- Configuration Files:
/etc/squid/squid.conf changed:
acl localnet src 192.168.1.0/24 # RFC 1918 local private network (LAN)
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic children 10 startup=0 idle=1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 6 hours
acl password proxy_auth REQUIRED
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow password
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#920007: squid: basic_ncsa_auth username case sensitivity

Amos Jeffries
On Mon, 21 Jan 2019 18:12:37 +0300 "Matsievskiy S.V." wrote:
>
> After output examination, I learned that squid converts all characters to lowercase.
> In my case, login had uppercase characters in it. So call to basic_ncsa_auth never succeeded.
>
> In my opinion either squid should not convert characters to lowercase, or it should be clearly stated somewhere that uppercase characters are not allowed.
>


Due to the security vulnerabilities and issues inherent in allowing
case-sensitive usernames most auth systems operate case-insensitively.
The Squid default is tuned to match those most commonly encountered
environment(s) behaviour.
 (You may find it useful to look up what those security problems are and
consider carefully why so many others prohibit mixed-case accounts.)


The "casesensitive" parameter for auth_param is provided for this
use-case and is already documented under "Basic authentication parameters".
See <http://www.squid-cache.org/Doc/config/auth_param/>.



FYI: For ease of testing there are "fake" helper(s) provided for most
Squid helper directives - which only return OK (or equivalent) to Squid.
All official helpers should also provide a "-d" command line option
which delivers their debugging information to cache.log.

I mention this because that bash script does not perform any of the
Squid helper protocol. Which must have been a pain to test against.
For example; I replicated the reported behaviour using just this:
  auth_param basic program /usr/lib/squid/basic_fake_auth -d


HTH
Amos