[JDEV] change of password / caching problems in jabberd
amarjeetkaur at credenceanalytics.com
amarjeetkaur at credenceanalytics.com
Wed Dec 4 20:10:05 CST 2002
<PRE>
<PRE>
Hi all,
The thread below (please read bottom-up) tracks a recent jadmin discussion
on a problem a number of us have encountered: when user auto-registration is
turned off, the jabberd server seems to cache old passwords after users
change them.
The thread ran out of gas, with a few unanswered questions.
1) How / why does the password caching work?. I haven't found anything on
change-of-password in the protocol / JEP / design docs I've looked through.
2.) Where's the right place for me to submit a bug / feature request --
against jabberd 1.4.2 (if maintenance work continues there) or 2.0, or
someplace else?
Thanks,
Tim
-----Original Message-----
From: jadmin-admin at jabber.org [mailto:jadmin-admin at jabber.org]On Behalf
Of Ralph Siemsen
Sent: Thursday, December 05, 2002 2:19 AM
To: jadmin at jabber.org
Subject: Re: [jadmin] not allowing auto registration - no password
change
Tim Klem wrote:
> After step 3, if I then insert a step 3.5 and immediately revert to the
old
> password, it succeeds. Following this, the new-password login in step 4
> fails, and I'm back to step 2 -- I can only log in with the old password
> until the cache expires (???), and can't make it to step 4. So it seems
like
> the step 3 "priming the pump" gets clobbered somehow.
Yes, confirmed here as well.
> Does anyone know how the caching works?
I've stared at the code and read all the docs I could find but haven't
been able to figure out why it behaves this way.
-R
-----Origi
nal Message-----
From: jadmin-admin at jabber.org [mailto:jadmin-admin at jabber.org]On Behalf
Of Tim Klem
Sent: Wednesday, December 04, 2002 12:16 AM
To: jadmin at jabber.org
Subject: RE: [jadmin] not allowing auto registration - no password
change
Ralph Siemsen wrote:
> So the sequence appears to be:
> 1) Change your password
> 2) You can continue to login with you old password
> 3) Try logging in with n
ew password (or random gabage) - will fail
> 4) Log in with new password - now the password change is complete.
Thanks Ralph, that helps. If I follow your 4 steps, I have the same
experience. One additional data point to add:
After step 3, if I then insert a step 3.5 and immediately revert to the old
password, it succeeds. Following this, the new-password login in step 4
fails, and I'm back to step 2 -- I can only log in with the old password
until the cache expires (???), and can't make it to step 4. So it seems like
the step 3 "priming the pump" gets clobbered somehow.
Does anyone know how the caching works?
Thanks,
Tim
-----Original Message-----
From: jadmin-admin at jabber.org [mailto:jadmin-admin at jabber.org]On Behalf
Of Ralph Siemsen
Sent: Tuesday, December 03, 2002 10:21 PM
To: jadmin at jabber.org
Subject: Re: [jadmin] not allowing auto registration - no password
change
Tim Klem wrote:
> My setup does have some peculiarities, though:
> - The server seems to take a while to begin using the new password, so a
> user who changes password,
> logs out, and logs right back in still must use the old one. By "a
while"
> I mean many minutes.
> If I restart jabberd, the new one must be used. Dunno what's being
cached
> where. ???
I noticed this problem as well with a variety of clients (Exodus,
Gabber, JIM, ...). After some investigation I found a few more
interesting facts, though I haven't got a good solution:
* When 0k authentication is used, password changes take effect
immediately and work exactly as you would expect.
* When 0k is removed from the available authentication methods on the
server, all clients exhibit the password-change-delay problem.
Moreover, the delay seems to be more of a cache issue. It appears that
the old password remains valid until an unsuccessful login attempt is
made (be it with the new password, or a totally incorrect on). At that
time, the server appears to start using the new password. Subsequently,
the new password works and the old one stops working.
So the sequence appears to be:
1) Change your password
2) You can continue to login with you old password
3) Try logging in with new password (or random gabage) - will fail
4) Log in with new password - now the password change is complete.
-Ralph
-----Original Message-----
From: jadmin-admin at jabber.org [mailto:jadmin-admin at jabber.org]On Behalf
Of Dushyanth Harinath
Sent: Tuesday, December 03, 2002 11:
41 AM
To: jadmin at jabber.org
Subject: Re: [jadmin] not allowing auto registration - no password
change
Hi ,
* <timklem at yahoo.com> wrote from a remote bunker :
> My setup does have some peculiarities, though:
> - The server seems to take a while to begin using the new password, so a
> user who changes password,
> logs out, and logs right back in still must use the old one. By "a
while"
> I mean many minutes.
> If I restart jabberd, the new one must be used. Dunno what's being
cached
> where. ???
This happens with me too. I have only mod_auth_plain enabled,
mod_register & register notify turned off, timeout set to 0 in xdb and
using jcac to create accounts.
> - Using Exodus 0.7.0.4, the password change gets made; however, it always
> gives an error
> message "Error changing password".
Same here. happens with tkabber-0.98beta too.
> Not exactly ideal! =)
Yeah.
cheers
dushyanth
-----Original Message-----
From: jadmin-admin at jabber.org [mailto:jadmin-admin at jabber.org]On Behalf
Of Tim Klem
Sent: Tuesday, December 03, 2002 10:46 AM
To: jadmin at jabber.org
Subject: RE: [jadmin] not allowing auto registration - no password
change
Hi Alan,
In my setup, auto-register is off, but users can change passwords. In
jabber.xml, I've left the jabber:iq:register module in, and just commented
out the register option.
I'm storing the passwords in a MySQL database, and I see the passwords
updated there immediately after the client issues the command. (I've also
hacked my xdb_sql.xml to ensure that no a
ccounts can get created via
jabberd.)
My setup does have some peculiarities, though:
- The server seems to take a while to begin using the new password, so a
user who changes password,
logs out, and logs right back
in still must use the old one. By "a while"
I mean many minutes.
If I restart jabberd, the new one must be used. Dunno what's being cac
hed
where. ???
- Using Exodus 0.7.0.4, the password change gets made; however, it always
gives an error
message "Error changing password".
- Using Psi 0.8.7, the change also gets made; the error here reads "There
was an error when trying
to set the password. Not found."
Not exactly ideal! =)
Tim
-----Original Message-----
From: jadmin-admin at jabber.org [mailto:jadmin-admin at jabber.org]On Behalf
Of Peter Saint-Andre
Sent: Tuesday, December 03, 2002 7:02 AM
To: jadmin at jabber.org
Subject: Re: [jadmin] not allowing auto registration - no password
change
Nope, they can't because you've commented out the code that handles the
jababer:iq:register namespace. Hmm, hadn't thought of that before...
Peter
--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.php
On Wed, 20 Nov 2002, Alan B wrote:
> I asked this before but it seems to have gotten lost in the shuffle of
other
> issues I was addressing so I will try again...
>
> If you shut off auto registration and manually create users is there
anyway
> a user can change their password? It appears they can not.
>
> Thanks,
> Alan
_______________________________________________
jdev mailing list
jdev at jabber.org
http://mailman.jabber.org/listinfo/jdev
</PRE>
_______________________________________________
jdev mailing list
jdev at jabber.org
http://mailman.jabber.org/listinfo/jdev
</PRE>
More information about the JDev
mailing list