[JDEV] hashing of passwords in xml file
maqi at jabberstudio.org
maqi at jabberstudio.org
Sun May 11 04:57:18 CDT 2003
On Sat, 10 May 2003, b h wrote:
> 1. Is there any problem with storing a SHA-1 hash of
> the password as opposed to plaintext in the users.xml
> files?
This would make digest auth impossible.
As an overview:
- digest auth (= secure authentification over non-encrypted connection)
needs password stored in plain text on the server
- plain text auth could work with hashed passwords on the server (which
currently is not implemented, it also uses plain text passwords on the
server)
- 0k auth provides secure authentification and hashed password storage but
has some other security problems (see standards-jig mailing list archive)
> I still have reservations having plaintext user
> passwords on the filesystem. Even though I comment
> out the <mod_auth_plain>./jsm/jsm.so</mod_auth_plain>
> option
That's currently no good idea as only mod_auth_plain handles password
change requests. mod_auth_digest should also handle them but does not,
meaning you break password changes if you comment out mod_auth_plain. I
submitted a jabberd patch that fixes that and an update for the admin
guide but both did not make it online yet.
Regards
More information about the JDev
mailing list