Authentication bug?
Jos I. Boumans
jos at dwim.org
Thu Aug 7 11:50:29 UTC 2008
On 06 Aug 2008, at 19:34, Artur Bergman wrote:
> AFAIR if you return from a hook like that, it is supposed to
> terminate the hook chain and proceed.
>
> So in this case, as long as the password matches when
> StaticPassword returns, then you are good to go.
>
> Solution would be not to use StaticPassword
After a short IM conversation, it turns out that this is more a
documentation issue and
perhaps needing a slight tweak to AllowedUsers (to also register a
GetPassword hook) rather
than a serious issue.
I suggest the below text as a doc patch to explain the situation.
Please correct me if my
assumptions are wrong:
=== lib/DJabberd/Authen/StaticPassword.pm
==================================================================
--- lib/DJabberd/Authen/StaticPassword.pm (revision 6909)
+++ lib/DJabberd/Authen/StaticPassword.pm (local)
@@ -7,13 +7,31 @@
$self->{password} = $pass;
}
+# If can_retrieve_cleartext is set to true,
+# Authen.pm will register the GetPassword hook.
+# That hook is then called from IQ.pm when a password
+# needs to be checked.
+#
+# The hook then invokes the get_password routine below,
+# which will return the static password and return it via
+# the ->set method on the callback.
+#
+# IQ.pm will then validate that password and accept/reject
+# it. This means no other hooks will get called in this chain.
+# Also, none of the CheckCleartext/CheckDigest hooks will be
+# called.
+#
+# See the documentation in HookDocs about 'GetPassword' for
+# more details.
sub can_retrieve_cleartext { 1 }
+# will be called if can_retrieve_cleartext returns 1
sub get_password {
my ($self, $cb, %args) = @_;
$cb->set($self->{password});
}
+# will be called if can_retrieve_cleartext returns 0
sub check_cleartext {
my ($self, $cb, %args) = @_;
if ($args{password} eq $self->{password}) {
=== lib/DJabberd/HookDocs.pm
==================================================================
--- lib/DJabberd/HookDocs.pm (revision 6909)
+++ lib/DJabberd/HookDocs.pm (local)
@@ -19,9 +19,9 @@
$hook{'filter_incoming_server'} = {};
$hook{'switch_incoming_server'} = {};
-
+# q[ ] since we use ' and non-interpolated variables
$hook{'GetPassword'} = {
- des => "Lookup a user's plaintext password",
+ des => q[Called when a client tries to authenticate. The hook is
asked to lookup and return a user's plaintext password via $cb->set
( $pass ). If the hook returns the password, DJabberd::IQ will
validate the password and either accept or reject the authentication.
If you want to do your own validation, do not allow a GetPassword
hook to be registered that returns the password via the callback, and
use the CheckCleartext or CheckDigest hooks instead],
args => [ "username" => '$username', "conn" => 'Connection', ],
callbacks => {
set => ['password'],
--
Jos
Boumans
http://www.linkedin.com/in/josboumans
How do I prove I'm not crazy to people who are?
More information about the Djabberd
mailing list