Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Redhat 6.0 cachemgr.cgi lameness
From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Fri, 30 Jul 1999 23:48:25 +0200


Peter Boutzev wrote:

 I did not found any information about useing an encrypted manager password in
squid.conf".

Yes, the cachemgr_passwd directive is lame and not very secure. However,
most proxy servers should be isolated from the users and not allow
interactive logons (other than possibly the cache manager using SSH for
maintaining the server), so if people are allowable to get to the point
where they may read Squids configuration file then you probably are in
deep shit anyway.

A more secure way to protect the cachemgr functions than the
cachemgr_passwd directive is with Squids access list controls. This
method allows you to control access on a per user basis, with passwords
stored in mostly any source (implementations exists for NCSA style
password files, LDAP, PAM, Unix, and a lot more).

--
Henrik Nordström
Squid developer



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault