[Members] Jabber Software Map

Ulrich Staudinger us at activestocks.de
Fri Dec 2 09:22:52 CST 2005


On Fri, Dec 02, 2005 at 02:17:56PM +0100, Jesus Cea wrote:
> Ulrich Staudinger wrote:
> 
> I don't know if my vote is valid in this issue, but if that database
> spread the account's passwords, I would be HEAVILY against it.

As already said, no one wants to spread the passwords, the proposed
approach is 

a) direct read-only access for the php app to the authreg tables 
or
b) a http facade on the jabberd machine which has read access to the
authreg tables and which is only accessible from one other machine
inside the network through http; the http facade has one function, it
verifys jid+pwd combination and returns true or false to indicate if the
pair was valid or not. In fact that approach is even safer than the
jabber server direct where *all* machines on the internet can try a
brute force attack, since that facade would be accessible only from
the web server machine (means an attacker would have to break into the
web server at first before he could try to attack the http facade!)



Cheers


More information about the Members mailing list