[JDEV] user.xml password encryption
David Waite
mass at akuma.org
Mon May 20 11:50:53 CDT 2002
Chris Pile wrote:
>Hi,
>
>I modified the jabber code (mod_auth_plain.c) to encrypt (MD5) user
>passwords in the spool/user.xml files. This works great for plain text
>authentication (the client always sends the <password/>). BUT, this
>doesn't work when the client tries to auth using 0k or digest
>authentication. The server builds the hash from the stored password
>which is of course encrypted and so doesn't match the hash of the plain
>text password known by the client.
>
>I was wondering if there is a way around this. By introducing digest/0k
>auth, has this limited user passwords to be stored as plain text in
>user.xml files?
>
Zero-knowledge auth does not (by definition) require the server to know
the password. Digest does, since the plaintext password becomes the
shared secret used for authentication.
-David Waite
More information about the JDev
mailing list