[JDEV] jabber:iq:auth password?

Ryan Hart ryanhart at rcn.com
Thu Sep 18 07:35:14 CDT 2003

Never mind, I figured it out. My bad, I didn't notice from the debug output
that the function is entered twice. I Emailed Fabien regarding
mod_auth_crypt, and he has fixed the link you mentioned below.

-- Ryan

 -----Original Message-----
From: 	jdev-admin at jabber.org [mailto:jdev-admin at jabber.org]  On Behalf Of
Ryan Hart
Sent:	Monday, September 15, 2003 7:42 PM
To:	jdev at jabber.org
Subject:	RE: [JDEV] jabber:iq:auth password?

Ok, I've commented out all of the auth:0k as well as digest stuff in my
jabber.xml file. As expected, I no longer get xdb requests for
jabber:iq:auth:0k, only jabber:iq:auth. However, it's still unclear to me
where I need to do the password check? As you confirmed, I need to update
the mod_auth_plain.c module source file. I assume I need to update the
mod_auth_plain_jane function? The code snippet below from this function
seems to do the password check. I've added the log_debug statement, but when
I run the jabber server in debug mode, it never seems to get here... which
obviously must mean that m->user->pass is NULL, but what gives? I see the
xdb authorization request at my xdb component. I send a response with the
password. Any ideas? Thanks, Ryan.

    /* if there is a password avail, always handle */
    if(m->user->pass != NULL)
        log_debug("mod_auth_plain","CHECKING PASSWORD");
        if(strcmp(pass, m->user->pass) != 0)
            jutil_error(m->packet->x, TERROR_AUTH);
        return M_HANDLED;

-----Original Message-----
From: 	jdev-admin at jabber.org [mailto:jdev-admin at jabber.org]  On Behalf Of
maqi at jabberstudio.org
Sent:	Friday, September 12, 2003 5:09 PM
To:	jdev at jabber.org
Subject:	Re: [JDEV] jabber:iq:auth password?

On Fri, 12 Sep 2003, Ryan L. Hart wrote:

> I've created a JECL xdb component using an existing Sybase
> backend to replace the Jabber 1.4.2 xdb_file module.
> I think the authorization is really being handled by the
> jabber:iq:auth:0k response instead?

No, 0k is a special authorization scheme. To make it short, just disable
it in jabber.xml and forget it. It's a nice idea but has security issues.
auth_plain and auth_digest both use the plain-text password entries from
the user's data.

> My assumption was that I would just need to modify some jsm
> auth module to crypt the clear text password passed by the
> client to see if it matches the crypted password returned by
> my xdb component for jabber:iq:auth. Is this true? If so,
> what module (mod_auth_plain, etc.)?

mod_auth_plain, yes. In fact, there has been a mod_auth_crypt available
(see http://mailman.jabber.org/pipermail/jdev/2001-August/007934.html)
which implemented part of the functionality you seem to want but
unfortunately its website seems to be gone.

jdev mailing list
jdev at jabber.org

jdev mailing list
jdev at jabber.org

More information about the JDev mailing list