Home » Forums » ejabberd & XMPP » ejabberd Development

Ejabberd's salt (SCRAM) breaks mod_rest

Submitted by Zach Calvert on Thu, 2012-07-12 19:47

I discovered that passwords were being stored in the clear in postgres and have since moved to 2.1.11 to enable the auth_password_format scram:

{auth_method, internal}.
{auth_password_format, scram}.

this breaks the mod_rest module I'm using for administering users

I tried checking out the ejabberd-modules code from trunk to build the absolute last version of mod_rest:

git clone git://github.com/last/ejabberd-modules.git

but it is still broken. Is there a way to enable mod_rest, or a patch I could apply, for making the auth_password_format work with scram?

‹ I am working on mini jappix , trying to integrate the facebook authentication to mini version and getting facebook roster ? Enabling logging for attacking via password attempt, authentication failure ›

The mod rest call with an

Submitted by Zach Calvert on Thu, 2012-07-12 20:45.

The mod rest call with an http post fails a the following response:
Error: invalid_account_data

The only place I find that atom referenced is not in the mod_rest code, nor even in the ejabberd code, but it is present in the ejabberd comments for the /ejabberd-2.1.11/src/ejabberd_commands.erl code. It looks like the commands module is not making use of the cryptography change.

Is this a configuration element or can I enable it?

»

Discovered that the problem

Submitted by Zach Calvert on Thu, 2012-07-12 20:49.

Discovered that the problem is that ejabberd authentication for command execution is different than the authentication for users. From ejabberd_commands.erl:

check_access(all, _) ->
    true;
check_access(Access, Auth) ->
    {ok, User, Server} = check_auth(Auth),
    %% Check this user has access permission
    case acl:match_rule(Server, Access, jlib:make_jid(User, Server, "")) of
        allow -> true;
        deny -> false
    end.

The fix is to fix the commands module to use the cyrsasl behavior. Has anyone done this before?

»

Missed the big ticket item

Submitted by Zach Calvert on Thu, 2012-07-12 20:57.

Missed the big ticket item out of ejabberd_commands.erl:

check_auth({User, Server, Password}) ->
    %% Check the account exists and password is valid
    AccountPass = ejabberd_auth:get_password_s(User, Server),
    AccountPassMD5 = get_md5(AccountPass),
    case Password of
        AccountPass -> {ok, User, Server};
        AccountPassMD5 -> {ok, User, Server};
        _ -> throw({error, invalid_account_data})
    end.

get_md5(AccountPass) ->
    lists:flatten([io_lib:format("~.16B", [X])
                   || X <- binary_to_list(crypto:md5(AccountPass))]).

This also means that if I'm able to sneak a peek at the database, I could still authenticate as admin for user credentials because it allows for plain text matching in the commands module.

»

It has been fixed in ejabberd

Submitted by mfoss on Mon, 2012-08-27 15:36.

It has been fixed in ejabberd 2.1.x branch recently.

»
Syndicate content

User login