powered by Jive Software

Hashed password authentication not possible?

Hi,

if I log into Jive Messenger (Beta2) with Tkabber as client I get the following message:

Warning: Remote server doesn’'t support hashed password authentication. Proceed with PLAINTEXT authentication? (Yes/No)

Is it true that Jive Messenger doesn’'t support hasehd passwords?

Regards,

Frank

Frank,

I’'m not sure why Tkjabber would be having problems with digest mode. I just verified with Exodus that digest (hashing) authentication is working.

Regards,

Matt

Ah good to know, I try to get some informations from the Tkabber developers about that

I’'ve just got some informations from Alexey (Tkabber developer) and he said that Tkabber asks the server about supportet authentification options and the server replies only with and , for digest auth it should also reply with .

I’'ve tried to login from PSI with hashed passwords and also get a message that logins are not possible …

Is that a configuration issue for Jive Messenger?

Hey Frank,

Are you using LDAP for authentication? Messenger does not use digest when authenticating against LDAP. OTOH, if you are authenticating against the users in the DB then you should see the digest element in the reply.

Regards,

– Gato

Hi Gaston,

yes that’‘s true I’'m using LDAP for authentication. Is there a reason for Messenger not using digest in junction with LDAP or a way to enable more security?

Regards,

Frank

Frank,

The way we currently authenticate with LDAP is by initiating a session using the provided username and password. There is no special reason why digest is not being supported rather than not having enough time to implement it. If you are willing to implement it, we’'d be more than happy to help.

Regards,

– Gato

Okay that makes sense to me now

I would like to implemet it but I’'m not a coder, I just try to implement a great Jabber environment for my company.

Maybe later after I got a Java course

Gato,

Actually, I’‘m not sure how we could implement digest auth for LDAP. We don’‘t have access to the actual password value in LDAP so can’'t make the normal digest auth like we do when talking to the jiveUser table. One option might be SASL in LDAP. For example:

http://java.sun.com/products/jndi/saslmechs.html

-Matt

Matt,

I agree with the SASL idea. The option I was thinking of was to simulate the same logic we are using when authenticating with the DB.

That is, instead of authenticating trying to initiate a session with LDAP we could try using an already existent connection to LDAP (with some configurable user) and then keep the password as a value of the user in LDAP so that we can query that info (like we do in the DB option) using the existing connection.

– Gato

Gaston,

I’'ve talked to our LDAP-administrator, he said that using such a configurable proxy-user could create a security hole because this user would have access to the passwords of all ldap-users …

Regards,

Frank

I’'ve talked to our LDAP-administrator, he said that

using such a configurable proxy-user could create a

security hole because this user would have access to

the passwords of all ldap-users …

I don’‘t think the user would need to have actual access to the password. They just need to be able to lookup the name, display name, and email address for each user. This shouldn’'t cause any big security issues.

Regards,

Matt

If you are willing to implement

it, we’'d be more than happy to help.

I would like to implement it, so where do I start?

Surely the change will require modifying not only the LdapAuthProvider class? I’'ve been reading the source tree for some time now but your help would be appreciated.