Details

      Description

      I'm implementing ejabberd on my company. I'll use mysql database and must be compliant with some security guidelines. One of them is that I can't have plaintext password anywhere.

      So, I enabled on ejabberd.cfg:

      {auth_method, odbc}

      .

      {auth_password_format, scram}

      .

      However registering users on commandline:

      1. ejabberdctl register someuser somedomain.com somepassword

      When I make a select * from users I get all passwords in plaintext. This is a security issue because EJAB-1196 says it works with ODBC, trough I'm marking it as critical.

      Thanks,

      Wagner Sartori Junior

        Issue Links

          Activity

          trunet Wagner Sartori Junior created issue -
          cromain@process-one.net Christophe Romain (Inactive) made changes -
          Field Original Value New Value
          Assignee Alexey Shchepin [ alexey ]
          cromain@process-one.net Christophe Romain (Inactive) made changes -
          Assignee Alexey Shchepin [ alexey ] Badlop [ badlop ]
          Hide
          badlop Badlop added a comment -

          SCRAM was implemented for mnesia in 2.1.x. In master branch, it also worked for ODBC. The ticket says so, and the ejabberd Guide is quite clear: the SCRAM option is only described when speaking about internal/mnesia storage. So, this isn't a critical bug, it's a misfeature, which requires additional code to be implemented.

          Show
          badlop Badlop added a comment - SCRAM was implemented for mnesia in 2.1.x. In master branch, it also worked for ODBC. The ticket says so, and the ejabberd Guide is quite clear: the SCRAM option is only described when speaking about internal/mnesia storage. So, this isn't a critical bug, it's a misfeature, which requires additional code to be implemented.
          badlop Badlop made changes -
          Summary SCRAM enabled but saving plaintext password on odbc database Add support for SCRAM to ODBC auth
          Issue Type Bug [ 1 ] New Feature [ 2 ]
          Priority Critical [ 2 ] Major [ 3 ]
          badlop Badlop made changes -
          Labels scram sha1 odbc scram sha1
          badlop Badlop made changes -
          Component/s Relational databases support [ 10061 ]
          jsautret@process-one.net Jérôme Sautret made changes -
          Fix Version/s ejabberd 3.1.0 [ 10281 ]
          cromain@process-one.net Christophe Romain (Inactive) made changes -
          Fix Version/s master [ 11243 ]
          Fix Version/s ejabberd 3.1.0 [ 10281 ]
          Hide
          larsven Lars Svensson added a comment -

          When will this feature be implemented? It is critical to our setup.

          Show
          larsven Lars Svensson added a comment - When will this feature be implemented? It is critical to our setup.
          mremond@process-one.net Mickaël Rémond made changes -
          Workflow development v3 [ 77315 ] Development v4 [ 80344 ]
          mremond@process-one.net Mickaël Rémond made changes -
          Status Open [ 1 ] Not Yet Scheduled [ 10024 ]
          Hide
          peterromfeldhk peterromfeldhk added a comment - - edited

          check this out http://petersys.blogspot.com/2013/09/ubuntu1204-ejabberd-with-mysql-backend.html
          let me know if need any more help, and dont forget to leave a comment if it was helpful!

          Show
          peterromfeldhk peterromfeldhk added a comment - - edited check this out http://petersys.blogspot.com/2013/09/ubuntu1204-ejabberd-with-mysql-backend.html let me know if need any more help, and dont forget to leave a comment if it was helpful!
          badlop Badlop made changes -
          Link This issue is created from EJAB-1196 [ EJAB-1196 ]
          Hide
          nowaker Damian Nowak added a comment -

          It's a shame major security issue like this has been ignored for more than one year now...

          Show
          nowaker Damian Nowak added a comment - It's a shame major security issue like this has been ignored for more than one year now...
          Hide
          neustradamus Neustradamus added a comment -

          Maybe Community members can resolve this problem...
          ODBC is not liked by ProcessOne.

          Show
          neustradamus Neustradamus added a comment - Maybe Community members can resolve this problem... ODBC is not liked by ProcessOne.
          Hide
          holger Holger Weiß added a comment -

          As SCRAM support was added to ODBC auth for the 15.03 release, I guess this ticket could be closed.

          Show
          holger Holger Weiß added a comment - As SCRAM support was added to ODBC auth for the 15.03 release , I guess this ticket could be closed.
          mremond@process-one.net Mickaël Rémond made changes -
          Status Not Yet Scheduled [ 10024 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]

            People

            • Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development