[JDEV] Account information storage, plaintext?

Robert Norris rob at cataclysm.cx
Tue Sep 16 17:53:23 CDT 2003


> > Both Jabber's digest auth mechanism and SASLs DIGEST-MD5 (the best
> > auth mechanisms we have to date) require both the client and the
> > server to have access to the plaintext password. Thats enough reason
> > for me.
> 
> Isn't it true that not all SASL mechanisms require plaintext
> passwords?  This should mean that a capable and properly configured
> server would not need them.

Actually, it seems the even DIGEST-MD5 might not require a plaintext
password. See another post I made to this thread about this.

> Maybe the issue comes down to jabber:iq:register being incompatible
> with any SASL mechanism that does not use plaintext passwords.  If we
> nix iq:register, does the problem go away?  Maybe then the admin has
> to make a choice between supporting anonymous registrations vs having
> a more-secure system.

Personally, I hate iq:register, and would love it to die. At the very
least, the interactions between it and SASL would be great to know. The
SASL way to do in-band registration is usually via a password transition
- do a PLAIN auth, which gets stored. Then, next time, you do DIGEST-MD5
or whatever - you don't even get offered PLAIN.

But I'd really like to just do away with in-band registration
altogether.

-- 
Robert Norris                                       GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx                Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20030917/b150d514/attachment-0002.pgp>


More information about the JDev mailing list