On Tue, 3 Jul 2012 13:08:31 +0200 Valentin Lorentz <[email protected]> wrote:
> Package: ejabberd > Version: 2.1.10-2 > Severity: normal > Tags: upstream Did you create an issue in the upstream bug tracker? Can you please provide a link to it then? > All users' passwords are stored in /var/lib/ejabberd/passwd.DCD as > plain text, while they should be hashed. There's an entry [1] in the FAQ on the ejabberd community site which deals with this issue. What I gather from the discussions linked to in that entry, is that if we store password hashes instead of plain-text passwords, we won't be able to use SASL mechanisms which do not send passwords over the wire (by requiring both sides to know the password). I'm not a security expert and cannot make an educated resolution on this issue by myself. Hence I think if you feel like the discussions linked to in that FAQ entry are unconvincing for you, please consider opening a discussion with upstream and convincing them they should somehow implement what you need. Otherwise I feel like closing this bug as wontfix. 1. http://www.ejabberd.im/plaintext-passwords-db -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
