[JDEV] jabber:iq:auth password?

Ryan Hart ryanhart at rcn.com
Thu Sep 18 07:35:14 CDT 2003 

Never mind, I figured it out. My bad, I didn't notice from the debug output
that the function is entered twice. I Emailed Fabien regarding
mod_auth_crypt, and he has fixed the link you mentioned below.

-- Ryan

 -----Original Message-----
From: 	jdev-admin at jabber.org [mailto:jdev-admin at jabber.org]  On Behalf Of
Ryan Hart
Sent:	Monday, September 15, 2003 7:42 PM
To:	jdev at jabber.org
Subject:	RE: [JDEV] jabber:iq:auth password?

Ok, I've commented out all of the auth:0k as well as digest stuff in my
jabber.xml file. As expected, I no longer get xdb requests for
jabber:iq:auth:0k, only jabber:iq:auth. However, it's still unclear to me
where I need to do the password check? As you confirmed, I need to update
the mod_auth_plain.c module source file. I assume I need to update the
mod_auth_plain_jane function? The code snippet below from this function
seems to do the password check. I've added the log_debug statement, but when
I run the jabber server in debug mode, it never seems to get here... which
obviously must mean that m->user->pass is NULL, but what gives? I see the
xdb authorization request at my xdb component. I send a response with the
password. Any ideas? Thanks, Ryan.

    /* if there is a password avail, always handle */
    if(m->user->pass != NULL)
    {
        log_debug("mod_auth_plain","CHECKING PASSWORD");
        if(strcmp(pass, m->user->pass) != 0)
            jutil_error(m->packet->x, TERROR_AUTH);
        else
            jutil_iqresult(m->packet->x);
        return M_HANDLED;
    }


-----Original Message-----
From: 	jdev-admin at jabber.org [mailto:jdev-admin at jabber.org]  On Behalf Of
maqi at jabberstudio.org
Sent:	Friday, September 12, 2003 5:09 PM
To:	jdev at jabber.org
Subject:	Re: [JDEV] jabber:iq:auth password?

On Fri, 12 Sep 2003, Ryan L. Hart wrote:

> I've created a JECL xdb component using an existing Sybase
> backend to replace the Jabber 1.4.2 xdb_file module.
[...]
> I think the authorization is really being handled by the
> jabber:iq:auth:0k response instead?

No, 0k is a special authorization scheme. To make it short, just disable
it in jabber.xml and forget it. It's a nice idea but has security issues.
auth_plain and auth_digest both use the plain-text password entries from
the user's data.

> My assumption was that I would just need to modify some jsm
> auth module to crypt the clear text password passed by the
> client to see if it matches the crypted password returned by
> my xdb component for jabber:iq:auth. Is this true? If so,
> what module (mod_auth_plain, etc.)?

mod_auth_plain, yes. In fact, there has been a mod_auth_crypt available
(see http://mailman.jabber.org/pipermail/jdev/2001-August/007934.html)
which implemented part of the functionality you seem to want but
unfortunately its website seems to be gone.

Regards
_______________________________________________
jdev mailing list
jdev at jabber.org
http://mailman.jabber.org/listinfo/jdev

_______________________________________________
jdev mailing list
jdev at jabber.org
http://mailman.jabber.org/listinfo/jdev

More information about the JDev mailing list