> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:jdev-admin@;jabber.org]On Behalf Of > Justin Karneges > Sent: Thursday, November 07, 2002 3:00 PM > To: [EMAIL PROTECTED] > Subject: Re: [JDEV] Jabber and user database > > > On Thursday 07 November 2002 02:21 pm, Steven Brown wrote: > > The only client that seems to have a hard time > > with forced plaintext is PSI, where you need to specifically say to use > > plaintext (bug or security feature?). > > Checking a box is not a "hard time", is it? :) > > I think this is how most clients are actually. It is common practice to > default to digest-auth, but with the option to revert to > plaintext. This is > definitely a security feature.
The problem isn't that it's a security feature, it's that the error message PSI gives, "Details: Unauthorized", doesn't suggest to the user that the reason they failed to login was due to not having checked plaintext. It would be nice if it said something like, "This server requires the 'plaintext authentication' option to login". From what I understand of the Jabber protocol (the reason I know this is from reading the server code; I haven't come across it documented very well anywhere), PSI isn't doing the authentication step correctly, which leads it to try and use an authentication method the server doesn't support and get a confusing error message about being unauthorized back from the server rather than being able to tell the user that digest wasn't supported. The way authentication seems to be supposed to work is that the client sends a jabber:iq:auth get after connecting with the user's username to see what authentication modes the server supports for that user. The server responds with an iq result that contains "<password/>" if it can do plaintext, "<digest/>" if it can do digest, some funky sequence/token stuff if it can do 0k, etc.. The client then decides which authentication method it wants to use, and sends a jabber:iq:auth set using that method. PSI doesn't send an auth get to check what the server supports and instead immediately tries to do digest authentication after connecting, which is why it's getting that user-confusing "Unauthorized" back from the server on my server that doesn't support digest. It should be doing the auth get, noticing that it can't do digest, and telling the user they need to allow plaintext authenetication to login. _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
