[JDEV] Account information storage, plaintext?
Robert Norris
rob at cataclysm.cx
Tue Sep 16 17:53:23 CDT 2003
> > Both Jabber's digest auth mechanism and SASLs DIGEST-MD5 (the best
> > auth mechanisms we have to date) require both the client and the
> > server to have access to the plaintext password. Thats enough reason
> > for me.
>
> Isn't it true that not all SASL mechanisms require plaintext
> passwords? This should mean that a capable and properly configured
> server would not need them.
Actually, it seems the even DIGEST-MD5 might not require a plaintext
password. See another post I made to this thread about this.
> Maybe the issue comes down to jabber:iq:register being incompatible
> with any SASL mechanism that does not use plaintext passwords. If we
> nix iq:register, does the problem go away? Maybe then the admin has
> to make a choice between supporting anonymous registrations vs having
> a more-secure system.
Personally, I hate iq:register, and would love it to die. At the very
least, the interactions between it and SASL would be great to know. The
SASL way to do in-band registration is usually via a password transition
- do a PLAIN auth, which gets stored. Then, next time, you do DIGEST-MD5
or whatever - you don't even get offered PLAIN.
But I'd really like to just do away with in-band registration
altogether.
--
Robert Norris GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20030917/b150d514/attachment-0002.pgp>
More information about the JDev
mailing list