[ejabberd] External auth with non plaintext passwords

Bastian Hoyer dafire at dafire.de
Wed Aug 11 18:58:58 MSD 2004

Well I think we should use what most clients use.. Currently I have to tell
the people to lower the security settings and enable plain text passwords
even if ssl is enabled it does not work out of the box on most clients :) I
don't know if sasl auth is commonly available in clients.

The hashing works as followed:

The value of the <digest/> element MUST be computed according to the
following algorithm:

   1. Concatenate the Stream ID received from the server with the password.
   2. Hash the concatenated string according to the SHA1 algorithm, i.e.,
SHA1( concat (sid, password)).
   3. Ensure that the hash output is in hexidecimal format, not binary or
   4. Convert the hash output to all lowercase characters.

So in easy words the client gets a random value, adds his passwords, do the
hash thing and send the result back. The Script now need the random value
sent to the user (streamid) and the password to do the same trick and to
compare the expected with the sent hash.


More information about the ejabberd mailing list