[ejabberd] password insecurity

H.-Chr. Schreiber christian.schreiber at imessage.de
Fri Jun 14 18:38:38 MSK 2013


i've written a python script to authenticate against imap. For an 
see the official ejabberd documentation [1].

That script reads from stdin in an endless loop. The input will be
splittet into an array:

> return sys.stdin.read(size).split(':')

If colons allowed in your passwords (so in my case) you should do:
> return sys.stdin.read(size).split(':', 3)

Choose auth_method external in your ejabberd configuration e.g.:

--------------------- %< ----------------------
{auth_method, external}.
{extauth_instances, 4}.
{extauth_cache, 600}.

--------------------- %< ----------------------

That works pretty good for me. AFAIK extauth_cache is the cause for
cleartext passwords in mnesia. So eventually you can avoid that by 
disabling cache.
I don't really know if this is possible, but probably not.



More information about the ejabberd mailing list