[ejabberd] External auth with non plaintext passwords

Leif Johansson leifj at it.su.se
Sun Aug 15 21:12:06 MSD 2004


Bastian Hoyer wrote:
> Well I think we should use what most clients use.. Currently I have to tell
> the people to lower the security settings and enable plain text passwords
> even if ssl is enabled it does not work out of the box on most clients :) I
> don't know if sasl auth is commonly available in clients.

It is getting more wide-spread all the time. XMPP requires sasl auth and
most sasl libraries implement some md5-based shared-secret mech.

> 
> The hashing works as followed:
> 
> The value of the <digest/> element MUST be computed according to the
> following algorithm:
> 
>    1. Concatenate the Stream ID received from the server with the password.
> [7]
>    2. Hash the concatenated string according to the SHA1 algorithm, i.e.,
> SHA1( concat (sid, password)).
>    3. Ensure that the hash output is in hexidecimal format, not binary or
> base64.
>    4. Convert the hash output to all lowercase characters.
> 
> So in easy words the client gets a random value, adds his passwords, do the
> hash thing and send the result back. The Script now need the random value
> sent to the user (streamid) and the password to do the same trick and to
> compare the expected with the sent hash.

Should be doable...

	MVH leifj



More information about the ejabberd mailing list