ejabberd - Comments for "Restricting Client ( sort of user-agent filtering )" https://www.ejabberd.im/node/4859 en thanks for your reply https://www.ejabberd.im/node/4859#comment-57648 <p>thanks for your reply badlop!</p> <p>yes, the openfire 'client control' plugin looked like it would do what we wanted.</p> <p>( and of course once understanding the protocol we realised its not 100% perfect, but would provide enough insulation that would restrict all but the most determined ) </p> <p>its not a pressing issue at the moment, but we will probably need to have some controls in place to restrict client access at some point.</p> <p>the way i'd prefer to go about it would be to somehow hook into a disco#info iq request from server to client to collect its capabilities pretty early in the stream, then to check the client 'name' in the response, closing down the stream if it doesnt have the right caps.</p> <p>i took a look through the openfire plugin and that seemed to be the way it was being done there, and thought that was a reasonable approach.</p> <p>we dont have any erlang experience in house at the moment, so i guess this might be our first foray !</p> <p>thanks for the suggestions too, we'll have a go at your suggested patch too ( actually one of the ops guys here suggested perhaps modifying the login stanza with an additional element containing a token, but we'd rather keep our options open and not mandate non-xmpp compliant interactions )</p> <p>cheers</p> <p>j</p> Tue, 26 Jul 2011 01:20:58 +0000 jasondwyer comment 57648 at https://www.ejabberd.im jasondwyer wrote: all good so https://www.ejabberd.im/node/4859#comment-57641 <div class="quote-msg"> <div class="quote-author"><em>jasondwyer</em> wrote:</div> <p>all good so far, but our client is for public distribution and we would like to ensure that only our custom client is able to connect to the service.</p> <p>has anyone come across a filter or other module which can detect ( through caps i presume ) the connecting client application, and disconnect if it doesnt match?</p> <p>the openfire server has a plugin doing pretty much this, </p></div> <p>Do you refer to this easy-to-bypass filter?<br /> <noindex><a href="http://coccinella.im/bypassing-openfire-client-control" title="http://coccinella.im/bypassing-openfire-client-control" rel="nofollow" >http://coccinella.im/bypassing-openfire-client-control</a></noindex></p> <p>ejabberd doesn't have any filter like that. But I can think of two ideas:</p> <p>1. Quick and dirty: configure ejabberd to listen in non-standard port, instead of 5222.</p> <p>2. More complex and more dirty:<br /> Apply this patch to ejabberd:</p> <pre>diff --git a/src/cyrsasl_digest.erl b/src/cyrsasl_digest.erl index 40e7edf..9f4b226 100644 --- a/src/cyrsasl_digest.erl +++ b/src/cyrsasl_digest.erl @@ -158,10 +158,11 @@ parse4([], Key, Val, Ts) -&gt; %% In that case, ejabberd only checks the service name, not the host. is_digesturi_valid(DigestURICase, JabberHost) -&gt; DigestURI = stringprep:tolower(DigestURICase), + AccessCode = "dummy1dwyer2code3", case catch string:tokens(DigestURI, "/") of - ["xmpp", Host] when Host == JabberHost -&gt; + ["xmpp"++AccessCode, Host] when Host == JabberHost -&gt; true; - ["xmpp", _Host, ServName] when ServName == JabberHost -&gt; + ["xmpp"++AccessCode, _Host, ServName] when ServName == JabberHost -&gt; true; _ -&gt; false </pre><p>Enable the options starttls_required and certfile in the ejabberd c2s listener.<br /> And now the clients will need to use STARTTLS+SASL, and provide a non-standard response. In Tkabber's TclXMPP I had to add this change to login correctly:</p> <pre> diff --git a/xmpp/sasl.tcl b/xmpp/sasl.tcl index 5ee6766..cf84c0d 100644 --- a/xmpp/sasl.tcl +++ b/xmpp/sasl.tcl @@ -204,7 +204,7 @@ proc ::xmpp::sasl::auth {xlib args} { set callback TcllibCallbackComponent } set state(token) \ - [SASL::new -service xmpp \ + [SASL::new -service xmppdummy1dwyer2code3 \ -type client \ -server $state(-server) \ -callback [namespace code [list $callback $token]]] </pre> Sun, 24 Jul 2011 14:20:00 +0000 mfoss comment 57641 at https://www.ejabberd.im