creating users for digest-md5 auth, with hashed password in db

9 replies [Last post]
Sat, 2010-01-23 22:34
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

Hi,

Sorry if this is a dumb question but I could not easily find out how to do what is written in the subject line. I absolutely want hashed passwords in the database. When I register using in-band registration, they are saved as plain. Secondly, I would also like to be able to use DIGEST-MD5 with these hashed passwords. I hope this is possible.

Thanks.

Top
Sat, 2010-01-23 23:15
#1
kobit's picture
Artur Hefczyc
Offline
Joined: 2006-09-03
Points: 267814

I am afraid this is impossible.
You can have either hashed passwords or DIGEST-MD5 authentication. DIGEST-MD5 authentication requires clear text password to calculate the DIGEST hash of (password + session_id).

Top
Sat, 2010-01-23 23:54
#2
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

Wow, strange dilemma. Hashed on storage or network, but not both? Do you know if the upcoming SCRAM mechanism solves this problem?

I guess I'll use TLS+Plain for now.

Top
Mon, 2010-01-25 02:06
#3
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

http://tools.ietf.org/html/draft-ietf-sasl-digest-to-historic-00

Section 1, #4 of the above document seems to suggest that storing hashes is possible. You have to store the hash of "user:realm:password".

Top
Mon, 2010-01-25 16:33
#4
kobit's picture
Artur Hefczyc
Offline
Joined: 2006-09-03
Points: 267814

Hm, indeed. I am not sure, though if that would work, if this is implemented in any client or any server. I will do some research on this if time allows.

Top
Thu, 2010-05-06 02:33
#5
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

This is also mentioned in rfc 2831 ("Using Digest Authentication as a SASL Mechanism"), section 3.9. I think it should work fine.

I see the digest md5 code is commented out in svn trunk. How much work is involved to restore that and add stored procedure hooks?

Top
Thu, 2010-05-06 08:06
#6
kobit's picture
Artur Hefczyc
Offline
Joined: 2006-09-03
Points: 267814

Where is this digest md5 code commented out in svn trunk? What file are you talking about?

Top
Thu, 2010-05-06 08:34
#7
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

TigaseSaslServerFactory

Top
Thu, 2010-05-06 18:00
#8
kobit's picture
Artur Hefczyc
Offline
Joined: 2006-09-03
Points: 267814

Ah, it is indeed commented out but it is not needed there. Sasl for DIGEST-MD5 implementation is provided by the Java core library.
The actual mechanism availability is determined by the authentication connector. A good example would be: UserAuthRepositoryImpl.java file. Have a look for a variable: sasl_mechs. All other connectors have the same or similar variable for controlling available mechanisms.

Top
Thu, 2010-05-06 20:26
#9
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

It looks like Java's DIGEST-MD5 implementation using SaslServer needs PasswordCallback, requiring the application to be able to obtain the plaintext password. They could fix this by perhaps adding some DigestCallback that could be attempted first, but at this time I don't think that exists (I read some Sun source code, and also see this link for the complete callback list: http://java.sun.com/javase/6/docs/api/javax/security/auth/callback/package-tree.html )

We may need custom SASL code in Tigase to pull this off.

Top

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.