ejabberd development
  1. ejabberd development
  2. EJAB-1196

New SASL authentication method: SCRAM-SHA-1

    Details

      Description

      As suggested by Sebastiaan Deckers, from Pandion.

      Advantage of this authentication method:

      • The MD5 algorithm is weak and SHA-1 is better (still not great but better )
      • Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
      • Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

      Patch is tested and works with:

      • Gajim hg: PLAIN and his simple SCRAM-SHA-1 (ServerSignature is verified since 0.15)
      • Pandion 2.6.106: PLAIN and SCRAM-SHA-1 (doesn't verify ServerSignature)
      • Swift 1.0: PLAIN and SCRAM-SHA-1
      • Tkabber SVN: PLAIN

      Other clients are supposed to support SCRAM, but I couldn't test them: Empathy, Pidgin (since 2.6.6), Psi (not integrated into git yet, announcement), SoapBox (proprietary).

      Related links:

        Issue Links

          Activity

          Hide
          Dries Staelens
          added a comment -
          Show
          Dries Staelens
          added a comment - The RFC for this mechanism: http://tools.ietf.org/html/draft-ietf-sasl-scram-11
          Hide
          Stephen Röttger
          added a comment -

          I wrote a patch that enables ejabberd to use SCRAM-SHA-1.
          It consists mainly of a storage backend, 'ejabberd_auth_internal_scram.erl', that saves password hashed in an internal database and the challenge-response module 'cyrsasl_scram.erl' that does the authentication with the client.
          The storage works both with the scram authentication aswell as with plain password authentication.
          I have not tested it thoroughly yet, but it seems to work with pidgin as client.

          Show
          Stephen Röttger
          added a comment - I wrote a patch that enables ejabberd to use SCRAM-SHA-1. It consists mainly of a storage backend, 'ejabberd_auth_internal_scram.erl', that saves password hashed in an internal database and the challenge-response module 'cyrsasl_scram.erl' that does the authentication with the client. The storage works both with the scram authentication aswell as with plain password authentication. I have not tested it thoroughly yet, but it seems to work with pidgin as client.
          Hide
          Stephen Röttger
          added a comment -

          scram patch for ejabberd-2.1.0

          Show
          Stephen Röttger
          added a comment - scram patch for ejabberd-2.1.0
          Hide
          Badlop
          added a comment - - edited

          I've made some changes to your code: fix some bugs, improve the integration into ejabberd, and document it. I attach the file "part2", to be applied after your patch.

          Your patch adds two new files cyrsasl_scram.erl and scram.erl where you are the author, but you didn't specify their license and copyright. Do you accept to publish them with the same license that ejabberd 2.1.8? Do you transfer copyright to ProcessOne?

          Show
          Badlop
          added a comment - - edited I've made some changes to your code: fix some bugs, improve the integration into ejabberd, and document it. I attach the file "part2", to be applied after your patch. Your patch adds two new files cyrsasl_scram.erl and scram.erl where you are the author, but you didn't specify their license and copyright. Do you accept to publish them with the same license that ejabberd 2.1.8? Do you transfer copyright to ProcessOne?
          Hide
          Stephen Röttger
          added a comment -

          Yes, I accept to publish the files with the same license and agree to transfer copyright to ProcessOne.

          Show
          Stephen Röttger
          added a comment - Yes, I accept to publish the files with the same license and agree to transfer copyright to ProcessOne.
          Hide
          Badlop
          added a comment -

          Thanks, I've applied the license and copyright notices to both files.

          I made some more changes:

          • store SCRAM bits in mnesia as base64-encoded binaries, not as original binaries.
          • reordered the elements in the #scram record, and don't use _ in the element names
          • renamed the function storage_type to store_type

          I've committed to 2.1.x your initial patch and my newly modified patch.

          Then I migrated all the code to the master branch, which required some adaptation. In that branch, SCRAM is supported by mnesia and ODBC storage. And committed this.

          Show
          Badlop
          added a comment - Thanks, I've applied the license and copyright notices to both files. I made some more changes: store SCRAM bits in mnesia as base64-encoded binaries, not as original binaries. reordered the elements in the #scram record, and don't use _ in the element names renamed the function storage_type to store_type I've committed to 2.1.x your initial patch and my newly modified patch. Then I migrated all the code to the master branch, which required some adaptation. In that branch, SCRAM is supported by mnesia and ODBC storage. And committed this.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 35 weeks, 6 days ago

                Issue deployment