[jadmin] jabberd14 'crypt' password storage in postgressql
Matthias Wimmer
m at tthias.eu
Sun Jun 3 17:26:05 CDT 2007
Hi Thomas!
Thomas Merkel schrieb:
> i'm using jabberd14 (version 1.6.0) since yesterday. But i don't find
> any way to store the passwords (in postgres) as MD5 hash or SHA-1 or
> otherway crypted. Is there any way to change it, or is there any patch
> available for jabberd14?
You do not need a patch, all you need is already in the distribution
package. You only have to define a handler for the jabber:iq:auth:crypt
namespace in your configuration file.
The definition looks the same as for the jabber:iq:auth handler, except
for the changed namespace, and that the element "password" is renamed to
"crypt".
But be aware, that this setup is deprecated and I strongly recomment not
using it. You will get into big problems upgrading to some future
version of jabberd14, where authentication (and credentials storage)
will be completely be done by the used SASL library (cyrus SASL).
> I think it can be a big security risk to store passwords in plaintext in
> the database.
I do not agree with you. The security risk are people that base their
security provisions on hashing the passwords.
Matthias
--
Matthias Wimmer Fon +49-700 77 00 77 70
Züricher Str. 243 Fax +49-89 95 89 91 56
81476 München http://ma.tthias.eu/
More information about the JAdmin
mailing list