PAM-MySQL Plugin?

Ken_Wermann · May 9, 2005, 5:28pm

Hi All,

The guys over at the JAdmin group recommended using something called PAM-MySQL to encrypt passwords in the MySQL database. Is this something anyone here has ever tried? Is there a plugin already for Jive Messenger server? If anyone knows anything about this, any info would be greatly appreciated.

Here is a link to PAM-MySQL: http://pam-mysql.sourceforge.net/

Best Regards,

Ken

matt · May 9, 2005, 5:37pm

Ken,

I’‘m not sure how this helps. This is not “encryption” but is hashing the password. That’‘s fine, but it means that only plain-text authentication can be used. That’'s only secure if the client uses TLS/SSL to connect. Maybe we should just have an option that can be configured to store password hashes, but that forces plain-text auth in that case.

-Matt

matt · May 9, 2005, 5:44pm

Note, I created the following issue for this feature: JM-291.

Regards,

Matt

Ken_Wermann · May 9, 2005, 5:54pm

Hi Matt,

The hash is fine. I looked at the recommendation, however, I wouldn’'t leave it as a second column. This still leaves the password there for viewing.

As for the SSL/TLS connect with plain text passwords, I have no problem with that. All clients are required to use SSL or the server denies the connection.

Realistically, how long does a proposal like JM-291 take to be implemented? I haven’'t dealt with the development side of things alot. And since it is a proposal, does that mean it may not be addressed for a while? Just curious.

Thanks,

Ken

Ken_Wermann · May 10, 2005, 5:58pm

One of the guys in JAdmin offered this solution. I don’'t know if it will help, but take a look an let me know.

START =============================

Like I mentioned before, for our implementation of the jabber server,

our security policy stated that we needed encrypted passwords. I

modified some of the jabberd2 code for MD5 digest authentication and MD5

hash storage of passwords. Basically, the password field then becomes

md5(username:realm:password).

I created a patch that allowed this to work and posted it on

http://www.marquard.net/jabber/ (patch 64).

Now this does become a hacked version of the jabber server, meaning not

all functionality as far as authentication is working. Basically, you

can only authenticate if your client supports md5 digest auth… Exodus

as an example.

Again, this is not a very good solution for all situations, but for

ours, it worked so I thought I would share.

END PASTE ============================

matt · May 11, 2005, 12:18am

kwermann,

Thanks for the additional info. It appears this will only work when using SASL MD5. Jive Messenger doesn’‘t currently support MD5, so this wouldn’'t be possible right now. When we do have SASL support, we can revisit this issue.

Regards,

Matt