powered by Jive Software

Custom MySQL db. User Authentication SHA1 and salt!

So I have a webapp with a large user database that I would like to use as my user database for Openfire.

For security reasons I store the user’s passwords as encrypted with a salt value.

username

crypted_password

salt

user

03a7fb408d1845875966bb417872fa920f2980e7

cb4f4f665bf68a8e06288dce0b789053621be21d

Authentication occurs by doing something like so:

sha1( submitted_password + salt) == crypted_password

is there an easy way to integrate this scheme into the openfire custom database impelemenation?

Thanks!

1 Like

I should also mention is there somewhere I can track down the way the encrypted password is created?

(I’m pretty new to openfire BTW)

Hi Mike,

one needs to patch or update the jdbc auth provider to do this. It should not be to hard to add there the option for a “salt” property. There is JiveSoftware and there are some freelancer coders (or maybe even you) who can do this.

I don’t think that the new code will be included in Openfire as such an authentication is very rare and thus hard to test and maintain.

LG

Yep after bouncing around a bit I figured as much, I’ve already mucked around in the code a bit and I think I’m close.

I wouldn’t say this is too far of an edge case though, using hashes with individual salt values is pretty much state of the art for web applications.

http://www.codinghorror.com/blog/archives/000953.html

Did you ever get a solution for this? I’m dealing with the same thing trying to integrate a rails app I have with openfire.

I had the same problem trying to get this working with my Rails app. I am using the restful authentication plugin, and it turns out they hash the password like so: “saltpassword–”. I hacked the JDBCAuthProvider class to have another PasswordType called sha1salt that would work for restful authentication.

In my openfire.xml file I have:

<jdbcAuthProvider>

<passwordSQL>SELECT crypted_password, salt FROM users WHERE login=? LIMIT 1</passwordSQL>

<passwordType>sha1salt</passwordType>

</jdbcAuthProvider>

Now I am not really a java programmer so I am sure this code is ugly, but it appears to be working nicely for me. Download the source code and replace openfire_src/src/java/org/jivesoftware/openfire/auth/JDBCAuthProvider.java with the one I have attached and then compile it.

I hope this can be of use for you!

-Dan

1 Like

Thanks for your work, I have adjusted it a bit.

Furthermore I added some new options.

ExtendedJDBCAuthProvider

This class allows you to check the credentials against the external database (JDBCAuthProvider) and the internal database (DefaultAuthProvider).

The following settings activate the extended authentication.

<extJdbcAuthProvider>
  <multiSource>true</multiSource>
</extJdbcAuthProvider>

SaltingJDBCAuthProvider

This class delievers options to salt your hashes and check them against an external database (ExtendedJDBCAuthProvider -> JDBCAuthProvider).

The following settings activate the salted authentication.

<saltJdbcAuthProvider>
  <saltSQL>SELECT salt FROM user_account WHERE username=?</saltSQL>
  <saltPosition>before</saltPosition>
  <doubleHashed>true</doubleHashed>
</saltJdbcAuthProvider>

You can set the saltPosition setting (before and after), which defines where the salt will be inserted.

Additional you can set the doubleHashed setting, which activates the hashing of the password before adding the salt.

A full setup can look like the following:

<jive>
  ...
  <provider>
    <auth>
      <className>org.jivesoftware.openfire.auth.SaltingJDBCAuthProvider</className>
    </auth>
  </provider>
  <jdbcAuthProvider>
    <passwordSQL>SELECT password FROM user_account WHERE username=?</passwordSQL>
    <passwordType>plain</passwordType>
   </jdbcAuthProvider>
  <extJdbcAuthProvider>
    <multiSource>true</multiSource>
  </extJdbcAuthProvider>
  <saltJdbcAuthProvider>
    <saltSQL>SELECT salt FROM user_account WHERE username=?</saltSQL>
    <saltPosition>before</saltPosition>
    <doubleHashed>true</doubleHashed>
  </saltJdbcAuthProvider>
   ...
</jive>

Please note, that you have to adjust your settings explained in the database integration guide (http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/db-integ ration-guide.html).

1 Like

CShulz,

I was wondering if you could help me implement your salt+sha1 work. I have downloaded the your files and the Openfire source files to my server. I then copied your files into the “trunk/src/java/org/jivesoftware/openfire/auth” folder and built the source with “ant openfire.” I am not sure where I go from here. What do I need to do to take what I have done and update the Openfire server installation that I already have on the server? I shut down the original Openfire server and then I ran the openfire.sh file in the source build, however that runs locally and not at the server address. Do I need to modify something else so that the source build runs on the server (i.e. the admin console is accessible via a browser)?

Thanks for the help.

Okay, scratch all of that up to it being a long day. I was able to get the new setup running. However, I am struggling to wrap my head around the ofProperties settings and the SQL commands. Right now, our DB passwords are stored in the table “auth_user” under the column “password”. The values within the password are sha1$salt$hash. I am not sure what part of the password I should be sending to the SQL code you have. I have cut out the salt part and set that to “salt” under the saltJdbcAuthProvider.saltSQL and then cut and set the hash part to “password” under the jdbcAuthProvider.passwordSQL, with no success. I then thought that your code might want the salt prepended to the hash, so I cut the salt and hash and concatenated salt to the front of hash, and that did not seem to work either. I did notice that with either method I was not getting any errors from Openfire/SQL, only from my program saying that the proivded credentials were not authorized.

Also, I have set jdbcAuthProivder.passwordType to sha1 instead of your use of plain text. What am I doing wrong?

Thanks.

Nevermind, I was able to get it working.

Hey here from 2017 I have the same problem and I wanted to use your code but can’t find a link to it on the forum.