Re: Authentication problem

From: Oskar Pearson <oskar@dont-contact.us>
Date: Mon, 13 Oct 1997 16:32:59 +0200

Hi

> Keeping a separate password file is not ideal, as I would like
> everyone to be able to use the same password - so I thought I
> could NFS mount the password file from our main UNIX server.
>
> I hope you realise the security implications of this. Every time your
> squid does a lookup, your password file is sent over the network. The
> passwords may be encrypted, but give me a packet sniffer, fast CPU,
> crack, and 20MB of dictionary and it could easily be hacked.

What about the following:

install ssh on both machines.

then generate a ssh key on the cache machine as root. Allow ssh into
the machine with the shadow file (without a password - otherwise
you can't script stuff).

Then ssh in every 1/2 hour and copy /etc/shadow with something
like:

scp userhost:/etc/shadow /usr/local/squid/etc/

Note that there are still security implications - if someone cracks
your cache machine they can hack 'userhost' without a password.. but if
you are sure the cache is safe (ie if you use the chroot patch and
remove the ability to 'mknod') you should be fine. You can then also ssh
into the cache server and your password won't be sniffed then either :)

Oskar
Received on Mon Oct 13 1997 - 07:36:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:17 MST