[ejabberd] external auth

Eric Cestari eric at ohmforce.com
Wed Apr 15 20:37:08 MSD 2009


Le 15 avr. 09 à 11:47, Fabio Forno a écrit :

> hi,
>
> two rapid questions about ext auth:
>
> - I've seen there is just plain password implemented, is there any
> hidden reason for this? The patch for digest auth seems  quite
> trivial, I can provide it quickly, but perhaps there is something I'm
> missing...

The problem is that the digest is built by hashing password and  
session id (the latter being of course onetime).
Unless the password is stored in clear (and be able to rebuild the  
hash server-side), one can't re-hash the password with a different  
salt to auth against the stored password hash.


So the only solution for a patch to work would be to have passwords  
stored in clear and in that case, the patch would be easy to write --  
mnesia auth does that.

> - in the port protocol params all concatenated in one string using ":"
> as separator, but I think ":" is allowed in passwords and I don't see
> any escaping.
>
> -- 
> Fabio Forno, Ph.D.
> Bluendo srl http://www.bluendo.com
> jabber id: ff at jabber.bluendo.com
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd



More information about the ejabberd mailing list