Details

      Description

      I'm implementing ejabberd on my company. I'll use mysql database and must be compliant with some security guidelines. One of them is that I can't have plaintext password anywhere.

      So, I enabled on ejabberd.cfg:

      {auth_method, odbc}

      .

      {auth_password_format, scram}

      .

      However registering users on commandline:

      1. ejabberdctl register someuser somedomain.com somepassword

      When I make a select * from users I get all passwords in plaintext. This is a security issue because EJAB-1196 says it works with ODBC, trough I'm marking it as critical.

      Thanks,

      Wagner Sartori Junior

        Issue Links

          Expenses

            Activity

            Hide
            badlop Badlop added a comment -

            SCRAM was implemented for mnesia in 2.1.x. In master branch, it also worked for ODBC. The ticket says so, and the ejabberd Guide is quite clear: the SCRAM option is only described when speaking about internal/mnesia storage. So, this isn't a critical bug, it's a misfeature, which requires additional code to be implemented.

            Show
            badlop Badlop added a comment - SCRAM was implemented for mnesia in 2.1.x. In master branch, it also worked for ODBC. The ticket says so, and the ejabberd Guide is quite clear: the SCRAM option is only described when speaking about internal/mnesia storage. So, this isn't a critical bug, it's a misfeature, which requires additional code to be implemented.
            Hide
            larsven Lars Svensson added a comment -

            When will this feature be implemented? It is critical to our setup.

            Show
            larsven Lars Svensson added a comment - When will this feature be implemented? It is critical to our setup.
            Hide
            peterromfeldhk peterromfeldhk added a comment - - edited

            check this out http://petersys.blogspot.com/2013/09/ubuntu1204-ejabberd-with-mysql-backend.html
            let me know if need any more help, and dont forget to leave a comment if it was helpful!

            Show
            peterromfeldhk peterromfeldhk added a comment - - edited check this out http://petersys.blogspot.com/2013/09/ubuntu1204-ejabberd-with-mysql-backend.html let me know if need any more help, and dont forget to leave a comment if it was helpful!
            Hide
            nowaker Damian Nowak added a comment -

            It's a shame major security issue like this has been ignored for more than one year now...

            Show
            nowaker Damian Nowak added a comment - It's a shame major security issue like this has been ignored for more than one year now...
            Hide
            neustradamus Neustradamus added a comment -

            Maybe Community members can resolve this problem...
            ODBC is not liked by ProcessOne.

            Show
            neustradamus Neustradamus added a comment - Maybe Community members can resolve this problem... ODBC is not liked by ProcessOne.
            Hide
            holger Holger Weiß added a comment -

            As SCRAM support was added to ODBC auth for the 15.03 release, I guess this ticket could be closed.

            Show
            holger Holger Weiß added a comment - As SCRAM support was added to ODBC auth for the 15.03 release , I guess this ticket could be closed.

              People

              • Votes:
                3 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development