[ejabberd] External auth with non plaintext passwords
leifj at it.su.se
Sun Aug 15 21:12:06 MSD 2004
Bastian Hoyer wrote:
> Well I think we should use what most clients use.. Currently I have to tell
> the people to lower the security settings and enable plain text passwords
> even if ssl is enabled it does not work out of the box on most clients :) I
> don't know if sasl auth is commonly available in clients.
It is getting more wide-spread all the time. XMPP requires sasl auth and
most sasl libraries implement some md5-based shared-secret mech.
> The hashing works as followed:
> The value of the <digest/> element MUST be computed according to the
> following algorithm:
> 1. Concatenate the Stream ID received from the server with the password.
> 2. Hash the concatenated string according to the SHA1 algorithm, i.e.,
> SHA1( concat (sid, password)).
> 3. Ensure that the hash output is in hexidecimal format, not binary or
> 4. Convert the hash output to all lowercase characters.
> So in easy words the client gets a random value, adds his passwords, do the
> hash thing and send the result back. The Script now need the random value
> sent to the user (streamid) and the password to do the same trick and to
> compare the expected with the sent hash.
Should be doable...
More information about the ejabberd