Details

      Description

      I'm implementing ejabberd on my company. I'll use mysql database and must be compliant with some security guidelines. One of them is that I can't have plaintext password anywhere.

      So, I enabled on ejabberd.cfg:

      {auth_method, odbc}

      .

      {auth_password_format, scram}

      .

      However registering users on commandline:

      1. ejabberdctl register someuser somedomain.com somepassword

      When I make a select * from users I get all passwords in plaintext. This is a security issue because EJAB-1196 says it works with ODBC, trough I'm marking it as critical.

      Thanks,

      Wagner Sartori Junior

        Issue Links

          Activity

          trunet Wagner Sartori Junior created issue -
          cromain@process-one.net Christophe Romain made changes -
          Field Original Value New Value
          Assignee Alexey Shchepin [ alexey ]
          cromain@process-one.net Christophe Romain made changes -
          Assignee Alexey Shchepin [ alexey ] Badlop [ badlop ]
          badlop Badlop made changes -
          Summary SCRAM enabled but saving plaintext password on odbc database Add support for SCRAM to ODBC auth
          Issue Type Bug [ 1 ] New Feature [ 2 ]
          Priority Critical [ 2 ] Major [ 3 ]
          badlop Badlop made changes -
          Labels scram sha1 odbc scram sha1
          badlop Badlop made changes -
          Component/s Relational databases support [ 10061 ]
          jsautret@process-one.net Jérôme Sautret made changes -
          Fix Version/s ejabberd 3.1.0 [ 10281 ]
          cromain@process-one.net Christophe Romain made changes -
          Fix Version/s master [ 11243 ]
          Fix Version/s ejabberd 3.1.0 [ 10281 ]
          mremond@process-one.net Mickaël Rémond made changes -
          Workflow development v3 [ 77315 ] Development v4 [ 80344 ]
          mremond@process-one.net Mickaël Rémond made changes -
          Status Open [ 1 ] Not Yet Scheduled [ 10024 ]
          badlop Badlop made changes -
          Link This issue is created from EJAB-1196 [ EJAB-1196 ]
          mremond@process-one.net Mickaël Rémond made changes -
          Status Not Yet Scheduled [ 10024 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]

            People

            • Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development