[ejabberd] Authentication and security problems

Adriana Moga adriana.moga at rcs-rds.ro
Mon Apr 11 17:39:11 MSD 2011


Hi,

I'm fighting with ejabberd (2.1.5, 2.1.6) on security side.
Even I have enabled SSL/TLS and a valid certificate the communication 
per c2s and s2s is not crypted. I can see the passwords in debug loglevel.
There is a way not seeing them in plain-text?

I'm testing with mnesia local authentication and mysql database storage.
With mysql: I tried to modify odbc_queries.erl file to crypt with MD5 
algorithm mysql passwords. The user can be registered with MD5 password 
but nothing more because I don't know what else I need to modify in 
odbc_queries.erl. Zero knowlegde about erlang. So, even the user is 
registered he can't log in client because XML parser is interrogating 
passwords only in plain text. If I paste in client the string with 
encrypted password from mysql users table is working to log in but is 
not a nice solution.

Here is what I changed in odbc_queries.erl:

   add_user(LServer, Username, Pass) ->
     ejabberd_odbc:sql_query(
       LServer,
       ["insert into users(username, password) "
     %%  "values ('", Username, "', '", Pass, "');"]).
with
           "values ('", Username, "', MD5('",  (Pass), "'));"]).

Also I have tried to use ldap authentication (Active Directory) and even 
the ldap port connection is 636 the authentication is working in 
plain-text. Same stuff, the passwords appear in plain-text.
What can I do?

Thank you,





More information about the ejabberd mailing list