[JDEV] Jabber and user database
Steven Brown
swbrown at ucsd.edu
Thu Nov 7 18:14:21 CST 2002
> -----Original Message-----
> From: jdev-admin at jabber.org [mailto:jdev-admin at jabber.org]On Behalf Of
> Justin Karneges
> Sent: Thursday, November 07, 2002 3:00 PM
> To: jdev at jabber.org
> Subject: Re: [JDEV] Jabber and user database
>
>
> On Thursday 07 November 2002 02:21 pm, Steven Brown wrote:
> > The only client that seems to have a hard time
> > with forced plaintext is PSI, where you need to specifically say to use
> > plaintext (bug or security feature?).
>
> Checking a box is not a "hard time", is it? :)
>
> I think this is how most clients are actually. It is common practice to
> default to digest-auth, but with the option to revert to
> plaintext. This is
> definitely a security feature.
The problem isn't that it's a security feature, it's that the error message
PSI gives, "Details: Unauthorized", doesn't suggest to the user that the
reason they failed to login was due to not having checked plaintext. It
would be nice if it said something like, "This server requires the
'plaintext authentication' option to login". From what I understand of the
Jabber protocol (the reason I know this is from reading the server code; I
haven't come across it documented very well anywhere), PSI isn't doing the
authentication step correctly, which leads it to try and use an
authentication method the server doesn't support and get a confusing error
message about being unauthorized back from the server rather than being able
to tell the user that digest wasn't supported.
The way authentication seems to be supposed to work is that the client sends
a jabber:iq:auth get after connecting with the user's username to see what
authentication modes the server supports for that user. The server responds
with an iq result that contains "<password/>" if it can do plaintext,
"<digest/>" if it can do digest, some funky sequence/token stuff if it can
do 0k, etc.. The client then decides which authentication method it wants
to use, and sends a jabber:iq:auth set using that method.
PSI doesn't send an auth get to check what the server supports and instead
immediately tries to do digest authentication after connecting, which is why
it's getting that user-confusing "Unauthorized" back from the server on my
server that doesn't support digest. It should be doing the auth get,
noticing that it can't do digest, and telling the user they need to allow
plaintext authenetication to login.
More information about the JDev
mailing list