[JDEV] Passwords, zero-K and storage

[DJ Adams]

Hi all

there was a question in the jdev room about how to avoid storing usernames
and passwords in the <username>.xml files on the server.[1] 

I blurted out 'zero-K!' for half the answer - a way of "removing the 
liability of storing password on the server"[2]. This was followed by
another answer a couple of mins later which contradicted me. I tried
it out on my server, and sure enough, even when the mod_auth_plain and
mod_auth_digest modules were commented out of JSM's load list, a password
in plain text was stored on the server as well as the zero-K stuff. 

Hmmm, I thought. And went about my business, sheepishly. But this 
contradiction played on my mind, until such time as now where it has
forced me out of bed to check it out. 

The reason why this is the case (plaintext password stored despite 
only using the zero-K auth module) is because of mod_register, which
stores the password, in the NS_AUTH space, when a user registers, 
regardless of what it's fellow e_REGISTER event handlers (mod_auth_plain
and mod_auth_0k [3]) are designed to do, or so it seems. 

Here's the relevant bit in mod_auth_plain:

int mod_auth_plain_reset(mapi m, jid id, xmlnode pass)
{
    log_debug("mod_auth_plain","resetting password");
    if(xmlnode_get_data(pass) == NULL) return 1;

    xmlnode_put_attrib(pass,"xmlns",NS_AUTH);
    return xdb_set(m->si->xc, jid_user(id), NS_AUTH, pass);   <----
}

and here's the relevant bit in mod_auth_0k:

int mod_auth_0k_reset(mapi m, jid id, xmlnode xpass)

    ...

    }else{ /* make them exist with an empty password */
        log_debug(ZONE,"NS_AUTH check - user DOES NOT exist");
        x = xmlnode_new_tag_pool(xmlnode_pool(xpass),"password");
        xmlnode_put_attrib(x,"xmlns",NS_AUTH);
        if(xdb_set(m->si->xc, jid_user(id), NS_AUTH, x))      <----
            return 1; /* uhoh */
    }

Both store a password (plaintext, or empty, respectively) in NS_AUTH space.

So mod_register doesn't need to - and even if it were to, how would it
know about the existence (or not) of mod_auth_plain or mod_auth_0k, i.e.
how could it know about whether to store a plaintext or an empty 
password? It doesn't, and goes ahead and does the former:

mreturn mod_register_new(mapi m, void *arg)

    ...

        /* try to save the auth data */
        if(xdb_set(m->si->xc, jid_user(m->packet->to), NS_AUTH, xmlnode_get_tag(m->packet->iq,"password")))                                   <----
        {
            jutil_error(m->packet->x, TERROR_FORBIDDEN); 
            break;
        }
 
I'm aware of other related issues regarding existence checks for users,
but am trying to keep them separate from what I see as a bit of an
issue with server-side password storage and administrator expectations.

Anyway, I would suggest that the snippet of code in mod_register_new()
shown above is both redundant and wrong, and should be removed. The 
purpose of this code is served by mod_auth_plain and / or mod_auth_0k.

Of course, I'm ready to be contradicted again; I'd like to hear what
others think. I've tried this out (removing the snippet) on my test
server and it solves the problem and doesn't cause any others, as far
as my minimal testing has shown.

What do you think?

dj


[1] http://perl.jabber.org/logs/conference.jabber.org/jdev/2001-06-12.html
    at around 13:16pm

[2] http://docs.jabber.org/draft-proto/html/zerok.html

[3] and mod_last too, but this doesn't count here