powered by Jive Software

Hashed passwords?

hello,

I’'m sort of newbie and need a little help. I really like the easy of install and set up of Jive Messenger; I got it up and run in minutes! I have a couple of quesitons:

  1. I notice that by default, passwords seem to be readily available in the /opt/jive_messenger/embedded-db/messenger.log file. Is there a way to have these encrypted, or at least hashed?

  2. I’'m trying to migrate from a jabberd 1.4 install, so I have a number of username.xml files. Is there a way to migrate them to Jive Messenger?

Thanks,

Allan

Allan,

  1. I notice that by default, passwords seem to be

readily available in the

/opt/jive_messenger/embedded-db/messenger.log file.

Is there a way to have these encrypted, or at least

hashed?

Yes, this is true if you use the embedded database. Unfortunately, we can’'t hash the passwords as that would prevent us from supporting digest authentication. It would be possible to encrypt the passwords, but the decryption key would have to be stored somewhere, so this would really be a matter of obsfucation instead of security. Protecting the embedded-db directory with proper Unix permissions should provide good security for most users. Of course, you can enforce tighter security by using an external database.

  1. I’'m trying to migrate from a jabberd 1.4 install,

so I have a number of username.xml files. Is there a

way to migrate them to Jive Messenger?

Nobody has created any conversion scripts yet, but that would be a great thing to have. We’'d gladly help out anyone interested in working on this.

Regards,

Matt

  1. I’'m trying to migrate from a jabberd 1.4 install,

so I have a number of username.xml files. Is there a

way to migrate them to Jive Messenger?

I actually created a program to parse out the xml files our old Jabber (Inc.) server was using. Of course, I can’‘t seem to find the program now (should have put it into cvs ) but I’'m sure I could re-create it to work with the jabberd file structure. Let me know.

Thanks,

Ryan

If I used an external database would the password be hashed or encrypted, or would the tighter security just be the security that I could layer on the external DB?

I actually created a program to parse out the xml

files our old Jabber (Inc.) server was using. Of

course, I can’'t seem to find the program now (should

have put it into cvs ) but I’'m sure I could

re-create it to work with the jabberd file structure.

Let me know.

That would be quite useful. What would be great would be an XML file format for Jive Messenger that would be supported for import/export. That way, converters for other servers could be written to just create XML files that Messenger could read.

Regards,

Matt

If I used an external database would the password be

hashed or encrypted, or would the tighter security

just be the security that I could layer on the

external DB?

Yes, it’‘s the security you would have in your external database. Alternatively, the user and authentication systems are totally pluggable. By implementing two Java interfaces, you can talk to any user/auth system that you’‘d like (existing database, etc). That means you could choose to store passwords in an encrypted/hashed state and only support certain auth mechanisms. We don’'t have a developer guide that explains this yet, but the Javadocs for these classes are quite good already.

Regards,

Matt

So it’‘s clear that I’'d need to implement AuthProvider. Is the second UserProvider?

well, i’‘ll tell you something. I’‘m not a programmer; I just wanna use the product. I’'m drawn to it because of its ease to install and manage. One huge drawback is storing password in a readable format. For me, this is pretty important.

I’‘ll keep my eyes on Jive Messenger, but for now, I guess I need to look at Jabberd 2. I was hoping to avoid it since it’'s a bit more complicated, but I need what I need.

Thanks for you help and PLEASE keep up the great work!

-Allan

Allan,

No server will provide better security unless:

  • It connects to some external service to get a decryption key at startup. I’'m not sure what that service would be. Storing an encryption key with the server files or in the source code is simply obfuscation and not true security.

  • Digest authenticaiton is disabled. However, this would mean passwords are sent as plain text over the network (unless SSL is being used).

Is there a reason you’‘re worried about the passwords stored as plain text? The embedded-db directory should only be made readable by the Jive Messenger process. I think it’'s more of an appearance of a security issue vs an actual security issue.

Regards,

Matt

As a follow-up, I looked into jabberd2 and it doesn’'t appear to solve this issue either.

Regards,

Matt

It is an appearance issue, and also a way for the admins not to accidentally glance and see people’‘s passwords. As much as we would like to have different passwords for every system, that’'s not really feasible (I have over 100 places to enter a password!).

Right now I’'m using jabberd 1.4 and will SSL and <mod_auth_crypt>./jsm/jsm.so</mod_auth_crypt> the passwords are hashed.

I would like to tie into LDAP for accounts and PAM for authentication. We use token cards for passwords and we have a PAM tie in. I think I can do this in jabberd2, but it will be a little work for me to figure it out.

Ultimately, I hoping the Apple solves all these problems for me with Tiger server. It’‘s supposed to have a jabber compatible chat server built in. Since almost all the other services on Mac OS X server are kerborized, I’‘m hoping the chat server and iChat will be too. We’'ll just have to find a kerborized client for Windoz and *nix then.

http://www.apple.com/server/macosx/tiger/

Message was edited by:

allan Marcus