Hi!
I want to use open-fire but I don’t want the users knowing their passwords. Is there any way for me to create the users (and set their password correctly) on the database? I see that the password is stored encrypted on the database. Is there any way to change that? Or any command-line utility that I can call and it will return to me the hash of the password so I can store it manually on the DB?
For the clients I will use psi and I’m asking on its forum how to encode the password in the config.xml. I want this so I can simplify as much as I can the deployment for my users.
Thanks,
Luiz.
I am also interested in knowing how this works so I may be able to gather roster information on a given user without having to log them in via XMPP.
Thank you,
Dallas Gutauckis
Alternatively, I could config Openfire to store the password as plaintext. Can I configure Openfire to do that?
I contacted JiveSoftware directly for this, and they claim exactly what I already thought… which is that they use Blowfish and then convert the output to hex. When I perform a blowfish encryption on the password and convert it to hex, however, the hashes don’t match (from the db and the hash I’ve created) so I’m left now trying to figure out what they’re actually doing, or what I’m doing incorrectly.
Alternatively, I could config Openfire to store the password as plaintext. Can I configure Openfire to do that?
Yes, this is possible. The table jiveUser has a column “password” and a column “encryptedPassword”. Just use one of both and set the other to NULL.
the hashes don’t match
Maybe just a confusion? Blowfish is an symmetric encryption, not a hash like SHA1 or MD5! It is possible and necessary to decrypt the password from database.
Maybe take a look into openfire sourcecode, to find out what openfire does exactly. Maybe you could write your command-line utility in Java, using Openfire libraries.
Coolcat
I’ve found more discussion on this here: http://eval.jivesoftware.com/forums/thread.jspa?threadID=23597
Though, again, this doesn’t help very much as it’s basically what I’ve already known.
I know they’re not hashes in the sense that Blowfish is two-way and capable of decryption, but it seems as if the only way to go about decrypting them is to use the Blowfish library that JiveSoftware is using. This, however, is not something that should have to be done. One should be capable of using any standard Blowfish implementation in a cryptography library (such as mcrypt) to encrypt/decrypt and produce the same results that JiveSoftware is getting. Instead, I am getting output generally in the region of about 1/4 the length of the strings being produced by Openfire’s Blowfish module.
Just out of curiosity, why would anyone not want their users to know their password?
Because it will be another password for them to remember - since I won’t be using AD integration. I will use psi with everything pre-configured - including user and password.
http://forum.psi-im.org/post/32159;?unb893sess=9b07e34a7d2e653c06902ed2288f797b
It will be as if I was using AD integration. What won’t I use AD? Because I’m part of a larger company that has around 17000 users - all of them in one single OU. I will have less than 500 users using OpenFire - so I won’t use AD.
Ok, Ok, easy now. Didn’t mean to ruffle feathers. Was just curious. Although you could use filters with the openfire config and AD to achieve integration.
Based on what I’m looking at now, it looks as if the CBC IV for the blowfish encryption mechanism is prepended to the hex string converted from binary from the blowfish encryption… so to decrypt the blowfish, you first need to figure out the IV based on the first (and I’m sort of guessing at this point) 8 bytes of data of the hex string… then you’ll want to remove that from the string and decrypt the remainder with that for your IV…
Sorry if it sounded like I was ruffling feathers, I really wasn’t.
But, now I’m curious: users are in OU=USR,DC=FURB,DC=BR - that has 17000 user. How could I filter just the 400 that I want?
Thanks!