Log on WITHOUT using plaintext password

Hello!

I've got an ejabberd server running here in my company.

I do the authorization process in a LDAP server.

My script is working fine. Yes, i can connect to the server and get logged in,
but...

My problem is that I only can do this using the option "allow plain text password" what is horrible! I can see everyone's password in a terminal in plain text in the log window of ejabber server.

I'm trying to do this in a more secure way. I'm thinking about the SSL or TLS connection.

Does anyone know how to do that?

Thank you very much folks!

PS.:

My ejabberd.cfg looks like that

% Listened ports:
{listen,
[{5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper},
starttls, {certfile, "/var/lib/ejabberd/server.pem"}]},
{5223, ejabberd_c2s, [{access, c2s},
ssl, {certfile, "/var/lib/ejabberd/server.pem"}]},

Maybe you are interested in r

Maybe you are interested in reading this (and maybe others) two threads in the ejabberd mailing list:

thanks

Ok. As I understand, the password is sent over the network in an encrypted way and then, at the server, it is decrypted to plain text. Am I right? If that's the way I think it is done.

Alexey says it is a bug: "i'v

Alexey says it is a bug: "i've used it for debugging some time ago and forgot to remove". He also says he will fix it. But you are right it will go encrypted over the internet when users use SSL or SASL.

workaround if you don't want to see their passwords:
start ejabberd with the "-detached" option.

--
sander

Thanks and one more question

Hello sander!

Thanks for your comment.

Do you know where is the line in what file? So I could comment it and recompile!

I guess it is something like a printf("\n(AUTH:%s:%s)",$user,$pass);

Thanks brother.

No, sorry: I don't know that.

No, sorry: I don't know that. But you can ask it on the mailinglist or in the chatroom so that Alexey can answer that :-)

--
sander

Is the mailing list working?

I cannot send any message to it. I get it delivered back to me.

You should register first of

You should register first of course (to prevent spam).

--
sander

i have done it already!

:)

So, it works now? -- san

So, it works now?

--
sander

No!

That's the problem. I receive the messages but i can't send.

LDAP

Hi.

You sad that You do authorization over LDAP!
Could You, please, send me *WORKING* configuration file.
Send it to goshgosh@ukrpost.net or in this forum.
I expirience some problems with LDAP. It should be my mistake in configuration. But where??? Hope you will help.

Here it is info about my system:

domain - testodrom.loc
domain controller - server2003 (e.g. server2003.testodrom.loc) based on Windows Server 2003
ejabberd (0.7.5) installed on domain controller
Erl5.4.4

By the way... Jive Messenger Server - works perfectly.

ejabberd.cfg listing
====================================
% $Id: ejabberd.cfg,v 1.5 2004/10/10 17:15:24 aleksey Exp $

%override_acls.

% Users that have admin access. Add line like one of the following after you
% will be successfully registered on server to get admin access:
{acl, admin, {user, "Administrator"}}.
%{acl, admin, {user, "ermine"}}.

% Blocked users:
%{acl, blocked, {user, "test"}}.

% Local users:
{acl, local, {user_regexp, ""}}.

% Another examples of ACLs:
%{acl, jabberorg, {server, "jabber.org"}}.
%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
%{acl, test, {user_regexp, "^test"}}.
%{acl, test, {user_glob, "test*"}}.

% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.

% Every username can be registered via in-band registration:
{access, register, [{allow, all}]}.

% After successful registration user will get message with following subject
% and body:
{welcome_message,
{"Welcome!",
"Welcome to Jabber Service. "}}.
% Replace them with 'none' if you don't want to send such message:
%{welcome_message, none}.

% List of people who will get notifications about registered users
%{registration_watchers, ["admin1@localhost",
% "admin2@localhost"]}.

% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.

% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
{allow, all}]}.

% Set shaper with name "normal" to limit traffic speed to 1000B/s
{shaper, normal, {maxrate, 1000}}.

% Set shaper with name "fast" to limit traffic speed to 50000B/s
{shaper, fast, {maxrate, 50000}}.

% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
{normal, all}]}.

% For all S2S connections used "fast" shaper
{access, s2s_shaper, [{fast, all}]}.

% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.

% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.

% This rule allows access only for local users:
{access, local, [{allow, local}]}.

% Authentification method. If you want to use internal user base, then use
% this line:
%{auth_method, internal}.

% For LDAP authentification use these lines instead of above one:
{auth_method, ldap}.
{ldap_servers, ["server2003"]}. % List of LDAP servers
{ldap_uidattr, "cn"}. % LDAP attribute that holds user ID
{ldap_base, "cn=users,dc=testodrom,dc=loc"}. % Base of LDAP directory

% For authentification via external script use the following:
%{auth_method, external}.
%{extauth_program, "/path/to/authentification/script"}.

% Host name:
{host, "testodrom.loc"}.

% Default language:
{language, "en"}.

% Listened ports:
{listen,
[
{5222, ejabberd_c2s, [{access, c2s},
{shaper, c2s_shaper}]},

% To create selfsigned certificate run the following command from the
% command prompt:
%
% openssl req -new -x509 -days 365 -nodes -out ejabberd.pem -keyout ejabberd.pem
%
% and answer the questions.
% {5222, ejabberd_c2s, [{access, c2s},
% starttls, {certfile, "./ejabberd.pem"},
% {shaper, c2s_shaper}]},

% When using SSL/TLS ssl option is not recommended (it requires patching
% erlang ssl application). Use tls option instead (as shown below).
% {5223, ejabberd_c2s, [{access, c2s},
% tls, {certfile, "./ejabberd.pem"},
% {shaper, c2s_shaper}]},

{5269, ejabberd_s2s_in, [{shaper, s2s_shaper}]},

% {5555, ejabberd_service, [{access, all},
% {host, "icq.localhost", [{password, "secret"}]}]},

{5280, ejabberd_http, [http_poll, web_admin]}
]}.

% If SRV lookup fails, then port 5269 is used to communicate with remote server
{outgoing_s2s_port, 5269}.

% Used modules:
{modules,
[
{mod_register, [{access, register}]},
{mod_roster, []},
{mod_privacy, []},
{mod_configure, []},
{mod_disco, []},
{mod_stats, []},
{mod_vcard, []},
{mod_offline, []},
{mod_announce, [{access, announce}]},
{mod_private, []},
{mod_irc, []},
% Default options for mod_muc:
% host: "conference." ++ ?MYNAME
% access: all
% access_create: all
% access_admin: none (only room creator has owner privileges)
{mod_muc, [{access, muc},
{access_create, muc},
{access_admin, muc_admin}]},
{mod_pubsub, []},
{mod_time, []},
{mod_last, []},
{mod_version, []}
]}.

% Local Variables:
% mode: erlang
% End:
====================================

i use external script authentication

Hello GOSH. I use here an script written in C to authenticate to the LDAP server together with the check_pass.pl
The LDAP auth from Ejabberd doesn't worked here.

Syndicate content