Details

      Description

      As suggested by Sebastiaan Deckers, from Pandion.

      Advantage of this authentication method:

      • The MD5 algorithm is weak and SHA-1 is better (still not great but better )
      • Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
      • Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

      Patch is tested and works with:

      • Gajim hg: PLAIN and his simple SCRAM-SHA-1 (ServerSignature is verified since 0.15)
      • Pandion 2.6.106: PLAIN and SCRAM-SHA-1 (doesn't verify ServerSignature)
      • Swift 1.0: PLAIN and SCRAM-SHA-1
      • Tkabber SVN: PLAIN

      Other clients are supposed to support SCRAM, but I couldn't test them: Empathy, Pidgin (since 2.6.6), Psi (not integrated into git yet, announcement), SoapBox (proprietary).

      Related links:

        Issue Links

          Activity

          mremond@process-one.net Mickaël Rémond created issue -
          mremond@process-one.net Mickaël Rémond made changes -
          Field Original Value New Value
          Description Advantage of this authentication method:
          - The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          - Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          - Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          - The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          - Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          - Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.
          Hide
          dries Dries Staelens added a comment -
          Show
          dries Dries Staelens added a comment - The RFC for this mechanism: http://tools.ietf.org/html/draft-ietf-sasl-scram-11
          badlop Badlop made changes -
          Description As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          - The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          - Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          - Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion and Gajim.
          badlop Badlop made changes -
          Description As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion and Gajim.
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion and Gajim.

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          badlop Badlop made changes -
          Description As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion and Gajim.

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion, Gajim, and Psi ([announcement|http://ayena.de/sleep_tight_password_safe]).

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          Hide
          stephen Stephen Röttger added a comment -

          I wrote a patch that enables ejabberd to use SCRAM-SHA-1.
          It consists mainly of a storage backend, 'ejabberd_auth_internal_scram.erl', that saves password hashed in an internal database and the challenge-response module 'cyrsasl_scram.erl' that does the authentication with the client.
          The storage works both with the scram authentication aswell as with plain password authentication.
          I have not tested it thoroughly yet, but it seems to work with pidgin as client.

          Show
          stephen Stephen Röttger added a comment - I wrote a patch that enables ejabberd to use SCRAM-SHA-1. It consists mainly of a storage backend, 'ejabberd_auth_internal_scram.erl', that saves password hashed in an internal database and the challenge-response module 'cyrsasl_scram.erl' that does the authentication with the client. The storage works both with the scram authentication aswell as with plain password authentication. I have not tested it thoroughly yet, but it seems to work with pidgin as client.
          Hide
          stephen Stephen Röttger added a comment -

          scram patch for ejabberd-2.1.0

          Show
          stephen Stephen Röttger added a comment - scram patch for ejabberd-2.1.0
          stephen Stephen Röttger made changes -
          Attachment ejabberd-2.1.0-scram.patch [ 18643 ]
          badlop Badlop made changes -
          Assignee Badlop [ badlop ]
          badlop Badlop made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          badlop Badlop added a comment - - edited

          I've made some changes to your code: fix some bugs, improve the integration into ejabberd, and document it. I attach the file "part2", to be applied after your patch.

          Your patch adds two new files cyrsasl_scram.erl and scram.erl where you are the author, but you didn't specify their license and copyright. Do you accept to publish them with the same license that ejabberd 2.1.8? Do you transfer copyright to ProcessOne?

          Show
          badlop Badlop added a comment - - edited I've made some changes to your code: fix some bugs, improve the integration into ejabberd, and document it. I attach the file "part2", to be applied after your patch. Your patch adds two new files cyrsasl_scram.erl and scram.erl where you are the author, but you didn't specify their license and copyright. Do you accept to publish them with the same license that ejabberd 2.1.8? Do you transfer copyright to ProcessOne?
          badlop Badlop made changes -
          Attachment ejabberd-2.1.0-scram-part2.patch [ 18650 ]
          badlop Badlop made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          Hide
          stephen Stephen Röttger added a comment -

          Yes, I accept to publish the files with the same license and agree to transfer copyright to ProcessOne.

          Show
          stephen Stephen Röttger added a comment - Yes, I accept to publish the files with the same license and agree to transfer copyright to ProcessOne.
          Hide
          badlop Badlop added a comment -

          Thanks, I've applied the license and copyright notices to both files.

          I made some more changes:

          • store SCRAM bits in mnesia as base64-encoded binaries, not as original binaries.
          • reordered the elements in the #scram record, and don't use _ in the element names
          • renamed the function storage_type to store_type

          I've committed to 2.1.x your initial patch and my newly modified patch.

          Then I migrated all the code to the master branch, which required some adaptation. In that branch, SCRAM is supported by mnesia and ODBC storage. And committed this.

          Show
          badlop Badlop added a comment - Thanks, I've applied the license and copyright notices to both files. I made some more changes: store SCRAM bits in mnesia as base64-encoded binaries, not as original binaries. reordered the elements in the #scram record, and don't use _ in the element names renamed the function storage_type to store_type I've committed to 2.1.x your initial patch and my newly modified patch. Then I migrated all the code to the master branch, which required some adaptation. In that branch, SCRAM is supported by mnesia and ODBC storage. And committed this.
          badlop Badlop made changes -
          Attachment ejabberd-2.1.0-scram-part2.patch [ 18661 ]
          badlop Badlop made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s ejabberd 2.1.9 [ 10796 ]
          Fix Version/s ejabberd 3.0.0-beta-1 [ 10660 ]
          Resolution Fixed [ 1 ]
          badlop Badlop made changes -
          Description As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion, Gajim, and Psi ([announcement|http://ayena.de/sleep_tight_password_safe]).

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          Patch is tested and works with:
          * Gajim hg: PLAIN and his simple SCRAM-SHA-1 ([ServerSignature is verified since 0.15|http://trac.gajim.org/ticket/6940])
          * Pandion 2.6.106: PLAIN and SCRAM-SHA-1 (doesn't verify ServerSignature)
          * Swift 1.0: PLAIN and SCRAM-SHA-1
          * Tkabber SVN: PLAIN

          Other clients are supposed to support SCRAM, but I couldn't test them: Empathy, Pidgin (since 2.6.6), Psi (not integrated into git yet, [announcement|http://ayena.de/sleep_tight_password_safe]), SoapBox (proprietary).

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          cromain@process-one.net Christophe Romain made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          mremond@process-one.net Mickaël Rémond made changes -
          Workflow development v3 [ 71348 ] Development v4 [ 81362 ]
          badlop Badlop made changes -
          Link This issue is splitted to EJAB-1598 [ EJAB-1598 ]

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development