[11209] in bugtraq
Re: Redhat 6.0 cachemgr.cgi lameness
daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Sat Jul 31 21:29:19 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-Id: <37A21DA9.7E2AB8D4@hem.passagen.se>
Date: Fri, 30 Jul 1999 23:48:25 +0200
Reply-To: hno@HEM.PASSAGEN.SE
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
X-To: Peter Boutzev <boutzev@AIRFAIR.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Peter Boutzev wrote:
> I did not found any information about useing an encrypted manager password in
> squid.conf".
Yes, the cachemgr_passwd directive is lame and not very secure. However,
most proxy servers should be isolated from the users and not allow
interactive logons (other than possibly the cache manager using SSH for
maintaining the server), so if people are allowable to get to the point
where they may read Squids configuration file then you probably are in
deep shit anyway.
A more secure way to protect the cachemgr functions than the
cachemgr_passwd directive is with Squids access list controls. This
method allows you to control access on a per user basis, with passwords
stored in mostly any source (implementations exists for NCSA style
password files, LDAP, PAM, Unix, and a lot more).
--
Henrik Nordström
Squid developer
