[JDEV] hashing of passwords in xml file

[Daniel Chote]

The reason why this wouldnt work, is that the password and the sessionid 
are put together and then hashed.   The hash is something that is 
different for every new connection.

b h wrote:

>Hi,
>
>I'm not an advanced developer, or an xml expert, so
>please be patient with me.  But I have two
>questions...
>
>1. Is there any problem with storing a SHA-1 hash of
>the password as opposed to plaintext in the users.xml
>files?  Since I already have openssl on the system
>(and have configured jabberd to use ssl encryption) I
>think this should be easy to do.  I don't think this
>should be a problem, although maybe a SHA-1 output
>every now and then would conflict with XML syntax? 
>ie. part of the hash having special characters that
>are reserved in XML?  hmm, XML files are plaintext and
>SHA-1 output is binary... maybe convert it to hex
>first before storing (like the digest)....
>
>2. If there isn't a problem with question 1, could
>someone please point me to the files where I would
>need to modify the source of jabberd in order to
>implement this?
>
>I still have reservations having plaintext user
>passwords on the filesystem.  Even though I comment
>out the <mod_auth_plain>./jsm/jsm.so</mod_auth_plain>
>option, and use SSL for encryption, I would feel more
>comfortable if putting a server on the DMZ with a
>little more protection.  And from my understanding,
>with 1.4.2 there is currently a need of keeping the
>plaintext passwords available in the user.xml file.
>
>any advice or comments much appreciated.
>
>b
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Search - Faster. Easier. Bingo.
>http://search.yahoo.com
>_______________________________________________
>jdev mailing list
>jdev at jabber.org
>http://mailman.jabber.org/listinfo/jdev
>  
>

-- 
Daniel Chote
Developer/Designer and typical drunk!
email/jabber: daniel at chote.net
blog:http://daniel.chote.com
website:http://www.chote.com