MD5 User Passwords

Openfire Openfire Dev
1

Heya All,

I’‘m trying to tie Jive Messenger into another database where the user account passwords are stored by md5 hashing the plain-text version – a fairly standard practice, or that’‘s the impression I’‘m under. I’‘d rather not ever store user’‘s passwords in plain-text, so I’‘m wondering how I’'d go about integrating the two dbs. How hard would it be to modify the SQL queries used to authenticate users (mySQL db here)?

Any suggestions, comments, or pointers are greatly appreciated!

Cheers-

Austin

2

Austin,

This should be a pretty trivial integration. You just need to create your own implementations of AuthProvider and UserProvider and then register them in the messenger.xml file. Please check out the Javadocs and let us know if you have any questions.

Note: because you store the MD5, you probably can only support plain authentication and not digest.

Regards,

Matt

3

StringUtils.java in the source contains a method for hashing a string using MD5. I successfully enabled support for MD5 passwords by modifying the source as follows:

// open DefaultAuthProvider.java

// find

import org.jivesoftware.util.Log;

// after add

import org.jivesoftware.util.StringUtils;

// find

catch (StringprepException se) {

throw new UnauthorizedException("Illegal username: " + se.getMessage());

}

// after add

password = StringUtils.hash(password);

// find

public boolean isDigestSupported() {

return true;

}

// replace with

public boolean isDigestSupported() {

return false;

}

// open DefaultUserProvider.java

// find

catch (UserNotFoundException unfe) {

// The user doesn’'t already exist so we can create a new user

// after add

password = StringUtils.hash(password);

// find

public void setPassword(String username, String password) throws UserNotFoundException

{

// after add

password = StringUtils.hash(password);

I changed the class names to MD5AuthProvider and MD5UserProvider, compiled the source with Ant, added the new class files to messenger.jar, modified jive-messenger.xml, and it works perfectly.

p.s. This was the first time I ever used Ant to compile something. Lemme just say that I am impressed. Everything compiled in 39 seconds with absolutely no errors. I am going to start using Ant to compile packaged source, which has been a nightmare in the past.

4

p.s. This was the first time I ever used Ant to

compile something. Lemme just say that I am

impressed. Everything compiled in 39 seconds with

absolutely no errors. I am going to start using Ant

to compile packaged source, which has been a

nightmare in the past.

First, let me start by sayin’’ thanks for the code for an AuthProvider with hashed passwords!

But now, you make think this sounds crazy, I’‘m stuck…for the life of me. I’‘m rather familiar with Apache’‘s ant and have used it to build apps for multiple platforms using multiple versions of java; whatever was necessary. Weird thing is…I can’‘t get ant to accept the local (non-root) installation of Java5 even though I’‘ve exported my environmental variables (JAVA_BINDIR, JAVA_HOME, JAVA_ROOT, JDK_HOME, JRE_HOME) to point at the Java5 installation under my home directory. Running java -showversion spits out what you’‘d expect – Java™ 2 Runtime Environment, Standard Edition (build 1.5.0_01-b08) – yet ant keeps resorting the the old 1.4.2, system-wide Java installation. I’‘ve Google’‘d to no avail so, suggestions anyone? They’'re greatly appreciated!

Cheers-

Austin

5

If I’‘m not mistaken, the explanation from http://www.jguru.com/faq/view.jsp?EID=866498 says that I’'m out of luck. Would you all concur? Thanks again.

Cheers-

Austin

6

Eh, just uninstall all of the jdk versions you have and delete their folders. Then remove everything from your classpath and path related to java. Restart your PC and reinstall jdk.

I installed jdk 1.5.0_01 in c:\jdk, jre in c:\jre, ant in c:\ant. I put c:\ant\bin and c:\jdk\bin in my path, and ., …, and c:\jre\lib in my classpath. I set java_home to c:\jdk and ant_home to c:\ant.

I then extracted the jive source to c:\jive. I put MD5AuthProvider in C:\jive\src\java\org\jivesoftware\messenger\auth and MD5UserProvider in C:\jive\src\java\org\jivesoftware\messenger\user. I went to c:\jive\build at the command prompt, typed ant, hit enter, and it all compiled.

If you’'re using 2k/xp, make sure you have your path, classpath, java_home, and ant_home variables in the system variables section, not the user variables section. That is all set by right-clicking my computer->properties->advanced->environment variables.

After you have compiled, simply put MD5AuthProvider.class in messenger.jar in org\jivesoftware\messenger\auth and MD5UserProvider.class in org\jivesoftware\messenger\user, then insert the following into jive-messenger.xml underneath the ldap example:

org.jivesoftware.messenger.user.MD5UserProvider

org.jivesoftware.messenger.auth.MD5AuthProvider

7

I’‘m completely new to jiveMessenger. I’'m trying add your changes and compile them for a friend, but I ran into the following problem. When I opened the DefaultAuthProvider.java file I was unable to find.

// find

catch (StringprepException se) {

throw new UnauthorizedException("Illegal username: " + se.getMessage());

}

There isn’'t even the Illegal username message. Are there different versions of the source code. Is there something I have to do before completing your steps for adding encrypted passwords? Thank you for your time.

8

Hi Cooper,

The code you’‘re looking for was factored out of the DefaultAuthProvider about three months back so if you’‘re working with the latest Messenger source you won’'t be able to find it. However, you can probably still make the changes detailed above work, just in a slightly different place. Look for the line:

username = username.trim().toLowerCase();

in the authenticate() method (around line 42) and make the suggested changes below it.

Hope that helps,

Ryan

9

Hi xannonite:

In DefaultUserProvider.java file, i cannot find:

// find

catch (UserNotFoundException unfe) {

// The user doesn’'t already exist so we can create a new user

My Jive Server version is 2.1.5 . Look at this thread http://www.jivesoftware.org/forums/thread.jspa?threadID=14952&tstart=0

Thanks,

-Rosen

10

hi,

i’‘m using jive messenger 2.3.1 and i’‘ve applied the MD5 changes, because i need to syncronize the user-table of jive messenger with the user-table of an other database. however, i’'ve a little problem with it.

after installing the new messenger.jar (and changing the config-file) i have to use a MD5 encrypted password for the admin-user to access the admin-interface. but the user-passwords still need to be plain-text. if i for example try to connect with a native messenger client (e.g. with adium from mac os x) the connection only works, when the passwords are stored in plain-text in the database.

so i’'ve a working MD5 hash for the admin-interface, but the user-passwords still need to be plain-text, for a messenger client to connect.

any ideas? many thanks in advance.

harald

11

i think i solved it myself:

i changed the return value of the method

supportsPasswordRetrieval()

in the UserProvider to ‘‘false’’.

now login works with MD5 encrypted passwords for messenger clients, too

i’'m glad it works, jive messenger is really a good software. keep up the good

work.

regards

harald

12

i’'ve applied similar changes as above to version 2.6.1…i need MD5 passwds for auth with users whose passwords are already MD5.

i have the same issue, admin console login works with an MD5 password.

jabber users however still don’'t work with an MD5 password.

setting password retrieval to false, gives an excpetion when you try to login, unsupported operation.

anyone have any ideas ? how is the authentication process different for users compared to admin console users ???

13

here’'s the error i get when a user attempts to login from the jabbber client :

javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched response.

at com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(DigestMD5Se rver.java:606)

at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(DigestMD5Server.j ava:226)

at org.jivesoftware.wildfire.net.SASLAuthentication.doHandshake(SASLAuthentication .java:204)

at org.jivesoftware.wildfire.net.SocketReader.authenticateClient(SocketReader.java :317)

at org.jivesoftware.wildfire.net.SocketReader.readStream(SocketReader.java:278)

at org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:119)

at java.lang.Thread.run(Thread.java:595)

14

ok well according to http://www.jivesoftware.org/community/thread.jspa?messageID=111156

its not possible with SASL.

"t seems to be a bit more complicated than to modify only setPassword. As far as I understand the code the client sends the ‘‘username’’, a ‘‘token’’ (the streamID) and a ‘‘digest’’ (digest=hash(streamID, password)). Stream ID’'s are generated by the server and should be unique and random.

To verify the digest Wildfire reads the plaintext password and calculates the ‘‘anticipatedDigest’’ (DefaultAuthProvider.java, line 76ff). If ‘‘anticipatedDigest’’==’‘digest’’ then the client is authenticated.

Storing a hashed password (or salt and hashed password) should make it impossible to calculate ‘‘anticipatedDigest’’. …"[/i]

15

naisayer,

Make sure that your UserProvider implementation returns false for supportsPasswordRetrieval. When false, Wildfire won’'t offer MD5 as an authentication option.

Regards,

Matt