MySQL module

Brad Fitzpatrick brad at danga.com
Mon Jul 3 18:34:23 UTC 2006


get_password means that:  given a user, you can give DJabberd the raw
cleartext password, and DJabberd will choose the right auth mechanism
that's the most secure.

check_cleartext means you don't have the cleartext password, but if it
were given to you, you could tell DJabberd if it were correct or not (say,
by passing it on to an upstream auth provider, like an LDAP server)

There's also check_digest which means that you don't know the cleartext,
and you don't can't check the cleartext, but you could pass the stream
session ID and the user's hashed password along to an upstream auth
provider and it'd know Jabber auth enough to say YES or NO.

You'll probably only use the 1st and 2nd.  The third is a rare case.

You should support both the 1st and 2nd when possible:  in your MySQL
plugin, sometimes you do have the raw password (unencrypted case), so you
should pass that to djabberd in get_password so it can do
challenge/response over non-SSL and still be secure.  Otherwise you'll
have to force your users into SSL, and even THEN, a lot of clients will
bitch about sending a cleartext password at all, even over SSL.  (it's
odd)



On Mon, 3 Jul 2006, Karjala wrote:

> I see.
>
> Am I right then to say that the function get_password is called whenever
> Digest/Cram/SASL is used, and the function check_cleartext is called
> whenever the "password is sent between the two computers"?
>
> Either get_password is called or check_cleartext, but not both during a
> single login.
>
> Right?
>
> What is TLS?
>
>
>
> Manuzhai wrote:
> >> One of the things I don't understand is how allowing plaintext passwords
> >> will make challenge/response type stuff to happen.
> >
> > Going out on a limb here: DJabberd needs to do all the little
> > transformation thingies on the unencrypted password in order to
> > support SASL-auth methods like DIGEST-MD5. If all you store is a
> > hashed version of the password, then the only thing DJ can do is
> > compare a hashed version of the PLAIN version of the password sent by
> > the client to the hashed version in the database.
> >
> > If, however, you enable retrieving a cleartext password from the
> > database (whether by just storing the cleartext or by using a
> > reversible form of encryption), DJabberd can use that to do
> > challenge-response SASL-stuff (like DIGEST-MD5 and CRAM-MD5).
> >
> > (It's a little hard to explain, I hope I got my point across.)
> >
> > Regards,
> >
> > Manuzhai
> >
>
>
>


More information about the Djabberd mailing list