The guys over at the JAdmin group recommended using something called PAM-MySQL to encrypt passwords in the MySQL database. Is this something anyone here has ever tried? Is there a plugin already for Jive Messenger server? If anyone knows anything about this, any info would be greatly appreciated.
I’‘m not sure how this helps. This is not “encryption” but is hashing the password. That’‘s fine, but it means that only plain-text authentication can be used. That’'s only secure if the client uses TLS/SSL to connect. Maybe we should just have an option that can be configured to store password hashes, but that forces plain-text auth in that case.
The hash is fine. I looked at the recommendation, however, I wouldn’'t leave it as a second column. This still leaves the password there for viewing.
As for the SSL/TLS connect with plain text passwords, I have no problem with that. All clients are required to use SSL or the server denies the connection.
Realistically, how long does a proposal like JM-291 take to be implemented? I haven’'t dealt with the development side of things alot. And since it is a proposal, does that mean it may not be addressed for a while? Just curious.
Thanks for the additional info. It appears this will only work when using SASL MD5. Jive Messenger doesn’‘t currently support MD5, so this wouldn’'t be possible right now. When we do have SASL support, we can revisit this issue.