Home » Forums » ejabberd & XMPP » ejabberd Administration

External Authentication with SSL Client Certificate authentication

Submitted by evilfred on Mon, 2010-04-19 18:27

Hi,

The External Authentication Scripts page here: http://www.ejabberd.im/extauth refers to a non-existent developer's guide page for more info (at http://svn.process-one.net/ejabberd/trunk/doc/dev.html#htoc9). I have checked the dev doc pages here: http://www.process-one.net/docs/ejabberd/devdoc/trunk/ and they are generated docs which seem next to useless in terms of actual documentation.

I would like to check the certificate supplied by the client during authentication to see if some value in it matches the expected value. Is this something I could do using an External Authentication script? I'm thinking no because the example scripts only take in username and password values. There is actually an XEP around this: XEP-0178 (Client Certificates for SASL EXTERNAL). Is this something that ejabberd might support natively in the future?

Thanks for any help!

‹ Spaces in usernames (JID) block diagram for ejabberd ›

evilfred wrote: The External

Submitted by mfoss on Tue, 2010-04-20 19:02.
evilfred wrote:

The External Authentication Scripts page here: http://www.ejabberd.im/extauth refers to a non-existent developer's guide page for more info (at http://svn.process-one.net/ejabberd/trunk/doc/dev.html#htoc9).

Ah, ejabberd was migrated from SVN to Git, and that link got old. I've updated it, check again.

evilfred wrote:

I would like to check the certificate supplied by the client during authentication to see if some value in it matches the expected value. Is this something I could do using an External Authentication script? I'm thinking no because the example scripts only take in username and password values.

As you suspected, ejabberd's extauth is not capable or intended for that thing. You will see clearly now when you check its documentation.

evilfred wrote:

I have checked the dev doc pages here: http://www.process-one.net/docs/ejabberd/devdoc/trunk/ and they are generated docs which seem next to useless in terms of actual documentation.

Right, those are still almost empty from user-written information.

evilfred wrote:

There is actually an XEP around this: XEP-0178 (Client Certificates for SASL EXTERNAL). Is this something that ejabberd might support natively in the future?

If somebody implements it, then yes :P

I didn't find any patch, not even a feature request for that XEP. So either you implement it, or get somebody onboard to implement it, or wait patiently to see if somebody does.

»

Ok, thanks

Submitted by evilfred on Wed, 2010-04-21 17:32.

Ok, thanks

»

a different approach

Submitted by evilfred on Wed, 2010-04-21 17:35.

Maybe I could put it in a more general way: are there any features in ejabberd I can use to validate that the client is who they say they are?

»

Not implemented

Submitted by mfoss on Sat, 2010-04-24 11:18.
evilfred wrote:

are there any features in ejabberd I can use to validate that the client is who they say they are?

Nothing like that is implemented.

Openfire implemented this feature two years ago using a simple verification method, but it was demonstrated to be very vulnerable: A Fool's Guide to Bypass Openfire's Client Control

»
Syndicate content

User login