[ejabberd] Re: Ability to use any ldap account with no password

Leif Johansson leifj at it.su.se
Fri Dec 3 11:14:43 MSK 2004


Oleg Kivel wrote:
>>>But why does ejabberd permit unauthorized access anyway? What will be
>>>if bad guy decide to use JAJC without "Use plain text password"?
> 
> 
> LJ> Plaintext passwords as opposed to legacy jabber shared-secret passwords.
> LJ> None of these are 'unauthenticated'. Use of plaintext passwords wo tls
> LJ> is not recommended but it's still not unauthenticated.
> 
> LJ>         MVH leifj
> 
> Could you explain it a little bit more?
> 
> Why can the ejabberd use the verified password in one case and can not
> do the same in another case?
> 
> 

It's two different kinds of passwords. A shared secret mechanism (as in
the legacy jabber password system implemented in ejabberd) implies that
passwords are stored in the clear on the server. Traditional unix-style
passwords are not stored in the clear on the server - in that case the
server only relies on the ability to verify that a given password
matches the one stored in the server. What the client calls clear-text
passwords are the second kind since the passwords in fact are _trans-
mitted_ in the clear from the client to the server. This is the reason
you want tls in this case. The legacy jabber password system transmits
hashes of passwords over the wire which is not clear-text.

	MVH leifj


More information about the ejabberd mailing list