Re: [jabberd2] Storing passwords in DB as MD5

Sun, 04 Nov 2007 01:48:27 -0800 

Josh schrieb:
> Hello,

Hello Josh,

> Is there a way to store c2s passwords in the database as MD5 hashes?  More 
> to the point, is it easy to use an existing database full of usernames and 
> MD5-hashed passwords?
> 
> The code I see does something else: it grabs the password from the 
> database and determines if the password supplied by the client is equal to 
> it, by doing a strcmp.  Is there a reason the code does this, rather than:
> 
> SELECT username FROM auth_db WHERE uesrname = 'josh' and realm = 
> 'home.com' and (password = 'securepass' OR password = md5('securepass'))
> 
> If I disable plain authentication does the client always send a MD5 
> password?

Sure, there is a way to store passwords in an encrypted format, but you
will have to do a small hack on the code to get this working (if you
depend on the authreg_mysql-module) _and_ it will be neccessary for all
clients to do plaintext-authentication because there is no
authentication-mechanism that uses "plain" md5- or sha1-hashed
passwords, they all to a kind of challenged authentication by prefixing
the password with a random value before hashing. So the server needs to
know the plain password to do such type of authentication.

You will have to choose between submitting plain passwords over the
internet (maybe SSL-encrypted) or storing passwords in plaintext.

Just think of the authreg_pam-module which interfaces PAM and all its
possible backends - in most cases PAM stores its passwords encrypted,
but only provides an interface for plaintext passwords.

If you want to do the hack on your own, you may have a look on the
difference of authreq_t->get_password (authreq_mysql) and
authreg_t->check_passowrd (authreg_pam). Whenever only the latter one is
set, authreg will only provide plaintext-authentication for you and
doing such md5-hack should be very easy.


Regards,

  Bernd

-- 
    \\\||///
  \\  - -  //
   (  @ @  )
-oOo--( )--oOo-------------------------------------------------------
 Firma Bernd Holzmüller                          www.tiggersWelt.net
                                                [EMAIL PROTECTED]
 Mönchstrasse 25                            Büro: 07 11 / 550 425-90
 70191 Stuttgart                             Fax: 07 11 / 550 425-99
_______________________________________________
Jabberd2 mailing list
[email protected]
http://lists.xiaoka.com/listinfo.cgi/jabberd2-xiaoka.com

Reply via email to