[ejabberd] Authentication and security problems
adriana.moga at rcs-rds.ro
Mon Apr 11 17:39:11 MSD 2011
I'm fighting with ejabberd (2.1.5, 2.1.6) on security side.
Even I have enabled SSL/TLS and a valid certificate the communication
per c2s and s2s is not crypted. I can see the passwords in debug loglevel.
There is a way not seeing them in plain-text?
I'm testing with mnesia local authentication and mysql database storage.
With mysql: I tried to modify odbc_queries.erl file to crypt with MD5
algorithm mysql passwords. The user can be registered with MD5 password
but nothing more because I don't know what else I need to modify in
odbc_queries.erl. Zero knowlegde about erlang. So, even the user is
registered he can't log in client because XML parser is interrogating
passwords only in plain text. If I paste in client the string with
encrypted password from mysql users table is working to log in but is
not a nice solution.
Here is what I changed in odbc_queries.erl:
add_user(LServer, Username, Pass) ->
["insert into users(username, password) "
%% "values ('", Username, "', '", Pass, "');"]).
"values ('", Username, "', MD5('", (Pass), "'));"]).
Also I have tried to use ldap authentication (Active Directory) and even
the ldap port connection is 636 the authentication is working in
plain-text. Same stuff, the passwords appear in plain-text.
What can I do?
More information about the ejabberd