Details

      Description

      I'm implementing ejabberd on my company. I'll use mysql database and must be compliant with some security guidelines. One of them is that I can't have plaintext password anywhere.

      So, I enabled on ejabberd.cfg:

      {auth_method, odbc}

      .

      {auth_password_format, scram}

      .

      However registering users on commandline:

      1. ejabberdctl register someuser somedomain.com somepassword

      When I make a select * from users I get all passwords in plaintext. This is a security issue because EJAB-1196 says it works with ODBC, trough I'm marking it as critical.

      Thanks,

      Wagner Sartori Junior

        Issue Links

          Activity

          Hide
          badlop Badlop added a comment -

          SCRAM was implemented for mnesia in 2.1.x. In master branch, it also worked for ODBC. The ticket says so, and the ejabberd Guide is quite clear: the SCRAM option is only described when speaking about internal/mnesia storage. So, this isn't a critical bug, it's a misfeature, which requires additional code to be implemented.

          Show
          badlop Badlop added a comment - SCRAM was implemented for mnesia in 2.1.x. In master branch, it also worked for ODBC. The ticket says so, and the ejabberd Guide is quite clear: the SCRAM option is only described when speaking about internal/mnesia storage. So, this isn't a critical bug, it's a misfeature, which requires additional code to be implemented.
          Hide
          larsven Lars Svensson added a comment -

          When will this feature be implemented? It is critical to our setup.

          Show
          larsven Lars Svensson added a comment - When will this feature be implemented? It is critical to our setup.
          Hide
          peterromfeldhk peterromfeldhk added a comment - - edited

          check this out http://petersys.blogspot.com/2013/09/ubuntu1204-ejabberd-with-mysql-backend.html
          let me know if need any more help, and dont forget to leave a comment if it was helpful!

          Show
          peterromfeldhk peterromfeldhk added a comment - - edited check this out http://petersys.blogspot.com/2013/09/ubuntu1204-ejabberd-with-mysql-backend.html let me know if need any more help, and dont forget to leave a comment if it was helpful!
          Hide
          nowaker Damian Nowak added a comment -

          It's a shame major security issue like this has been ignored for more than one year now...

          Show
          nowaker Damian Nowak added a comment - It's a shame major security issue like this has been ignored for more than one year now...
          Hide
          neustradamus Neustradamus added a comment -

          Maybe Community members can resolve this problem...
          ODBC is not liked by ProcessOne.

          Show
          neustradamus Neustradamus added a comment - Maybe Community members can resolve this problem... ODBC is not liked by ProcessOne.
          Hide
          holger Holger Weiß added a comment -

          As SCRAM support was added to ODBC auth for the 15.03 release, I guess this ticket could be closed.

          Show
          holger Holger Weiß added a comment - As SCRAM support was added to ODBC auth for the 15.03 release , I guess this ticket could be closed.

            People

            • Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development