creating users for digest-md5 auth, with hashed password in db
Sorry if this is a dumb question but I could not easily find out how to do what is written in the subject line. I absolutely want hashed passwords in the database. When I register using in-band registration, they are saved as plain. Secondly, I would also like to be able to use DIGEST-MD5 with these hashed passwords. I hope this is possible.
I am afraid this is impossible.
You can have either hashed passwords or DIGEST-MD5 authentication. DIGEST-MD5 authentication requires clear text password to calculate the DIGEST hash of (password + session_id).
Wow, strange dilemma. Hashed on storage or network, but not both? Do you know if the upcoming SCRAM mechanism solves this problem?
I guess I'll use TLS+Plain for now.
Section 1, #4 of the above document seems to suggest that storing hashes is possible. You have to store the hash of "user:realm:password".
Hm, indeed. I am not sure, though if that would work, if this is implemented in any client or any server. I will do some research on this if time allows.
This is also mentioned in rfc 2831 ("Using Digest Authentication as a SASL Mechanism"), section 3.9. I think it should work fine.
I see the digest md5 code is commented out in svn trunk. How much work is involved to restore that and add stored procedure hooks?
Where is this digest md5 code commented out in svn trunk? What file are you talking about?
Ah, it is indeed commented out but it is not needed there. Sasl for DIGEST-MD5 implementation is provided by the Java core library.
The actual mechanism availability is determined by the authentication connector. A good example would be:
UserAuthRepositoryImpl.java file. Have a look for a variable:
sasl_mechs. All other connectors have the same or similar variable for controlling available mechanisms.
It looks like Java's DIGEST-MD5 implementation using SaslServer needs PasswordCallback, requiring the application to be able to obtain the plaintext password. They could fix this by perhaps adding some DigestCallback that could be attempted first, but at this time I don't think that exists (I read some Sun source code, and also see this link for the complete callback list: http://java.sun.com/javase/6/docs/api/javax/security/auth/callback/package-tree.html )
We may need custom SASL code in Tigase to pull this off.