jabberd14 'crypt' password storage in postgressql

Hi there,

i'm using jabberd14 (version 1.6.0) since yesterday. But i
don't  find
any way to store the passwords (in postgres) as MD5 hash or
SHA-1 or
otherway crypted. Is there any way to change it, or is there
any patch
available for jabberd14?
I think it can be a big security risk to store passwords in
plaintext in
the database.

Thanks,
Thomas 'DrScream' Merkel


_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Merkel wrote:
> Hi there,
> 
> i'm using jabberd14 (version 1.6.0) since yesterday.
But i don't  find
> any way to store the passwords (in postgres) as MD5
hash or SHA-1 or
> otherway crypted. Is there any way to change it, or is
there any patch
> available for jabberd14?

I know this is possible in ejabberd using external
authentication
script, but this way forces to use plain text
authentication, and TLS
must be used for secure auth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFGYTShBTpIAsinKmgRAjkyAKCJMAfn5mLAckk9egKqWKQ9fEt1FACe
Myby
jFPw8RYVgalcv6J1wfi/hTw=
=NDhG
-----END PGP SIGNATURE-----
_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

Thomas Merkel <drscreamcyber-tec.org> writes:

> I think it can be a big security risk to store
passwords in plaintext in
> the database.

Of course, not storing the passwords in plaintext is also a
security
risk, as the passwords must be sent in plaintext when a
client is
authenticating.  Even if the connection is encrypted, it is
vulnerable
to man-in-the-middle attacks (if the client doesn't check
the server's
certificate, or if the certificate is stolen but not the
database,
etc).

Is there any widely accepted conclusion on this?

-- 
Magnus
JID: legosciajabber.cd.chalmers.se

_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

you can store:

H( { username-value, ":", realm-value,
":", passwd }

that way the password is not in plain text, and the stored
value can
be used for DIGEST-MD5 authentication, so there's never a
plaintext
password transferred on the wire.

On 6/2/07, Magnus Henoch <mangefreemail.hu> wrote:
> Thomas Merkel <drscreamcyber-tec.org> writes:
>
> > I think it can be a big security risk to store
passwords in plaintext in
> > the database.
>
> Of course, not storing the passwords in plaintext is
also a security
> risk, as the passwords must be sent in plaintext when a
client is
> authenticating.  Even if the connection is encrypted,
it is vulnerable
> to man-in-the-middle attacks (if the client doesn't
check the server's
> certificate, or if the certificate is stolen but not
the database,
> etc).
>
> Is there any widely accepted conclusion on this?
>
> --
> Magnus
> JID: legosciajabber.cd.chalmers.se
>
> _______________________________________________
> JAdmin mailing list
> JAdminjabber.org
> http:/
/mail.jabber.org/mailman/listinfo/jadmin
> FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
> _______________________________________________
>



-- 
- Norman Rasmussen
 - Email: normanrasmussen.co.za
 - Home page: http://norman.rasmusse
n.co.za/
_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

On sob, 2007-06-02 at 11:06 +0200, Thomas Merkel wrote:
> I think it can be a big security risk to store
passwords in plaintext
> in
> the database. 

Would you rather like them to be send plaintext on the
wire?

It's the choice:
- plaintext in DB, crypted on the wire
- crypted in DB, plaintext on the wire

Your choice is? 

-- 
Tomasz Sterna
Xiaoka Grp.  http://www.xiaoka.com/

_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

Thomas Merkel wrote:
> I think it can be a big security risk to store
passwords in plaintext in
> the database.

What exactly is the risk?
-- 
Neil Stevens - neilhakubi.us

If you're seeing shades of gray, it's because you're not
looking close enough to see the black and white dots.
_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

Magnus Henoch schrieb:
>> I think it can be a big security risk to store
passwords in plaintext in
>> the database.
> Of course, not storing the passwords in plaintext is
also a security
> risk, as the passwords must be sent in plaintext when a
client is
> authenticating.  Even if the connection is encrypted,
it is vulnerable
> to man-in-the-middle attacks (if the client doesn't
check the server's
> certificate, or if the certificate is stolen but not
the database,
> etc).

... exactly.


-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

Hi Norman!

Norman Rasmussen schrieb:
> you can store:
> 
> H( { username-value, ":", realm-value,
":", passwd }
> 
> that way the password is not in plain text, and the
stored value can
> be used for DIGEST-MD5 authentication, so there's never
a plaintext
> password transferred on the wire.

Where the H( { username-value, ":", realm-value,
":", passwd } gets
effectively to be your plaintext password and you are
storing them again.

The only goal you get here is that the plaintext password is
usable for
a single service then. But you still then have a password in
the DB,
that when stolen can be used to authenticate at the server.

With real password hashes you are not able to use them to
authenticate
at any service.

Another problem with DIGEST-MD5-prehashed password is, that
you are not
able to upgrade to a more secure mechanism, if you do not
trust
DIGEST-MD5 anymore (which may happen soon, as MD5 is more
and more
questionable).

Keep your passwords secure and don't rely on the false sense
of security
of hashed password storage.


Matthias

-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

Hi Thomas!


Thomas Merkel schrieb:
> i'm using jabberd14 (version 1.6.0) since yesterday.
But i don't  find
> any way to store the passwords (in postgres) as MD5
hash or SHA-1 or
> otherway crypted. Is there any way to change it, or is
there any patch
> available for jabberd14?

You do not need a patch, all you need is already in the
distribution
package. You only have to define a handler for the
jabber:iq:auth:crypt
namespace in your configuration file.

The definition looks the same as for the jabber:iq:auth
handler, except
for the changed namespace, and that the element
"password" is renamed to
"crypt".

But be aware, that this setup is deprecated and I strongly
recomment not
using it. You will get into big problems upgrading to some
future
version of jabberd14, where authentication (and credentials
storage)
will be completely be done by the used SASL library (cyrus
SASL).

> I think it can be a big security risk to store
passwords in plaintext in
> the database.

I do not agree with you. The security risk are people that
base their
security provisions on hashing the passwords.


Matthias

-- 
Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________

Am Sonntag, 3. Juni 2007 16:36 schrieb Neil Stevens:
> Thomas Merkel wrote:
> > I think it can be a big security risk to store
passwords in plaintext in
> > the database.
>
> What exactly is the risk?

A user who does not know that the password is stored in
plain text, could use 
the same password than he uses for his email account.

Everybody who knows his email address - for instance because
the user is 
required to deliver it when registering - can know read his
mails.

This is one scenario which may occur.

Actually, I don't understand - apart from 'not well thought
out' - why one 
would not compare two md5 encrypted strings instead of two
plain text 
strings. 

Best Regards,

Oliver


_______________________________________________
JAdmin mailing list
JAdminjabber.org
http:/
/mail.jabber.org/mailman/listinfo/jadmin
FAQ: http://ww
w.jabber.org/about/jadminfaq.shtml
_______________________________________________