Authentication bug?

Jos I. Boumans jos at dwim.org
Thu Aug 7 11:50:29 UTC 2008 

On 06 Aug 2008, at 19:34, Artur Bergman wrote:

> AFAIR if you return from a hook like that, it is supposed to  
> terminate the hook chain and proceed.
>
> So in this case, as long as the password matches when  
> StaticPassword returns, then you are good to go.
>
> Solution would be not to use StaticPassword

After a short IM conversation, it turns out that this is more a  
documentation issue and
perhaps needing a slight tweak to AllowedUsers (to also register a  
GetPassword hook) rather
than a serious issue.

I suggest the below text as a doc patch to explain the situation.  
Please correct me if my
assumptions are wrong:

=== lib/DJabberd/Authen/StaticPassword.pm
==================================================================
--- lib/DJabberd/Authen/StaticPassword.pm       (revision 6909)
+++ lib/DJabberd/Authen/StaticPassword.pm       (local)
@@ -7,13 +7,31 @@
      $self->{password} = $pass;
  }

+# If can_retrieve_cleartext is set to true,
+# Authen.pm will register the GetPassword hook.
+# That hook is then called from IQ.pm when a password
+# needs to be checked.
+#
+# The hook then invokes the get_password routine below,
+# which will return the static password and return it via
+# the ->set method on the callback.
+#
+# IQ.pm will then validate that password and accept/reject
+# it. This means no other hooks will get called in this chain.
+# Also, none of the CheckCleartext/CheckDigest hooks will be
+# called.
+#
+# See the documentation in HookDocs about 'GetPassword' for
+# more details.
  sub can_retrieve_cleartext { 1 }

+# will be called if can_retrieve_cleartext returns 1
  sub get_password {
      my ($self, $cb, %args) = @_;
      $cb->set($self->{password});
  }

+# will be called if can_retrieve_cleartext returns 0
  sub check_cleartext {
      my ($self, $cb, %args) = @_;
      if ($args{password} eq $self->{password}) {
=== lib/DJabberd/HookDocs.pm
==================================================================
--- lib/DJabberd/HookDocs.pm    (revision 6909)
+++ lib/DJabberd/HookDocs.pm    (local)
@@ -19,9 +19,9 @@
  $hook{'filter_incoming_server'} = {};
  $hook{'switch_incoming_server'} = {};

-
+# q[ ] since we use ' and non-interpolated variables
  $hook{'GetPassword'} = {
-    des => "Lookup a user's plaintext password",
+    des => q[Called when a client tries to authenticate. The hook is  
asked to lookup and return a user's plaintext password via $cb->set 
( $pass ). If the hook returns the password, DJabberd::IQ will  
validate the password and either accept or reject the authentication.  
If you want to do your own validation, do not allow a GetPassword  
hook to be registered that returns the password via the callback, and  
use the CheckCleartext or CheckDigest hooks instead],
      args => [ "username" => '$username', "conn" => 'Connection', ],
      callbacks => {
          set => ['password'],

--

   Jos  
Boumans                                                                  
          http://www.linkedin.com/in/josboumans

   How do I prove I'm not crazy to people who are?

More information about the Djabberd mailing list