Problem with non-sasl authentication with openfire 4.7.5

Openfire
1

Hi guys. i have a problem with authenticating my clients after upgrading my openfire server.
Almost all users are using miranda im 0.7.8.0 clients (yes, very old but still)
For authentication I mainly use the NTLM plugin (SASL Mechanisms (JT)) by Norman Rasmussen, although very old, but it works stable.
The problem is the following - those clients whose computers for some reason are not in the domain are forced to use login/password (PLAIN) authentication. There are three mechanisms for this in the server settings in sasl.mechs - NTLM,PLAIN,ANONYMOUS. When trying to connect, the server transmits that it supports all these authentication mechanisms, but the client persistently tries to continue to connect via NTLM. As a result, an error occurs.

I wanted to go the other way, and authenticate these old clients via non-sasl. To do this I installed the non-sasl authentication plugin, however it does not work, on the client side I see the following.

There are no errors on the server side.

Earlier, before the update, on version 3.6.4 such authorization worked, but as far as I understand on version 4.1.0 it was abandoned. Apparently now the work of such authorization is supported only with a plugin, but it, as I wrote above, does not work. What can be done in this case?

3 
<stream:stream to="jabber.server" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="en" />
­
<iq type="get" id="mir_26">
<query xmlns="jabber:iq:auth">
<username>Andrei</username>
</query>
</iq>
­
<iq type="result" id="mir_26" from="rlspb-dc">
<query xmlns="jabber:iq:auth">
<username>Andrei</username>
<resource />
</query>
</iq>

log on non-sasl login attempt

4 
<stream:stream to="jabber.server" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="en" version="1.0" />
­
<stream:features>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>PLAIN</mechanism>
<mechanism>ANONYMOUS</mechanism>
<mechanism>NTLM</mechanism>
<mechanism>PADE</mechanism>
</mechanisms>
<compression xmlns="http://jabber.org/features/compress">
<method>zlib</method>
</compression>
<ver xmlns="urn:xmpp:features:rosterver" />
<auth xmlns="http://jabber.org/features/iq-auth" />
<c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="https://www.igniterealtime.org/projects/openfire/" ver="O72WixV/xBM0o/QUM2fOlv31qgM=" />
</stream:features>
­
<compress xmlns="http://jabber.org/protocol/compress">
<method>zlib</method>
</compress>
­
<compressed xmlns="http://jabber.org/protocol/compress" />
­
<stream:stream to="jabber.server" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="en" version="1.0" />
­
<stream:features>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>PLAIN</mechanism>
<mechanism>ANONYMOUS</mechanism>
<mechanism>NTLM</mechanism>
<mechanism>PADE</mechanism>
</mechanisms>
<ver xmlns="urn:xmpp:features:rosterver" />
<auth xmlns="http://jabber.org/features/iq-auth" />
<c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="https://www.igniterealtime.org/projects/openfire/" ver="O72WixV/xBM0o/QUM2fOlv31qgM=" />
</stream:features>
­
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="NTLM"></auth>
­
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">=</challenge>
­
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">TlRMTVNTUAABAAAAB7IIogYABgAzAAAACSDFGfgsfAKAGFKAAAAD1BDLTEwNjAyMzcxUlVTTEFC</response>
­
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">TlRMTVNTUAACAAAADAAMADgAAAAFgomi6XzHy2/hZ9wAAAAAAAAAALAAsABEAAAACgBjRQAAAA9SAFUAUwBMAEEAQgACAAwAUgBVAFMATABBAEIAAQAMAFIATABYAE0AUABQAAQAIgBvAGYAZgBpAGMAZQAuAHIAdQBzAGwAYQBiAC4AbwByAGcAAwAwAFIATABYAE0AUABQAC4AbwBmAGYAaQSDFGDFGGDFAcwBsAGEAYgAuAG8AcgBnAAUAIgBvAGYAZgBpAGMAZQAuAHIAdQBzAGwAYQBiAC4AbwByAGcABwAIAP1nr9EK5NoBAAAAAA==</challenge>
­
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">TlRMTVNTUAADAAAAGAAYAJYAAAA0ATQBrgAAAAwADABYAAAAHAAcAGQAAAAWABYAgAAAAAAAAADiAQAABYKIogoAYUoAAAAPPhA0Pdpxdp/GVfs+8g6jR1IAVQBTAEwAQQBCAEEAbgBkAHIAZQBpAC4ATQB1AHoAYQBsAGUAdgBQAEMALQAxADAANgAwADIAMwA3ADEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeudxyYuSydre2/qCDry9zAEBAAAAAAAA/Wev0Qrk2gENw376aDW7jwAAAAACAAwAUgBVAFMATABBAEIAAQAMAFIATABYAE0AUABQAAQAIgBvAGYAZgBpAGMAZQAuAHIAdQBzAGwAYQBiAC4AbwByAGcAAwAwAFIATABYAE0AUABQAC4AbwBmAGYAaQBjAGUALgByAHUAcwBsAGEAYgAuAG8AcgBnAAUAIgBvAGYAZgBpAGMAZQAuAHIAdQBzAGwAYQBiAC4AbwByAGcABwAIAP1nr9EK5NoBBgAEAAIAAAAIADAAMAAAAAAAAAABAAAAACAAAItah+p3Wvie1pPG7D8QtOpjMeHaZ6/92KMPBu3sij7XCgAQAAAAAAAAAAAAAAAAAAJAAAAAAAAAAAAAAA=</response>
­
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<not-authorized />
</failure>

log when trying to log in plain

5

here is your hint. The auth mech was removed awhile back because it obsolete and not considered secure.
good news… @guus made a plugin that can restore Non-SASL Authentication.

6

I already have the plugin you mentioned installed, however nothing works.

изображение
изображение3272×273 62.5 KB

there’s something in the logs

2024.08.02 23:06:56 WARN [socket_c2s-thread-9]: org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to exception in session: (0x0000714B: nio socket, server, null => 0.0.0.0/0.0.0.0:5222)
java.io.IOException: An existing connection was forcibly closed by the remote host
    at sun.nio.ch.SocketDispatcher.read0(Native Method) ~[?:1.8.0_202]
    at sun.nio.ch.SocketDispatcher.read(Unknown Source) ~[?:1.8.0_202]
    at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source) ~[?:1.8.0_202]
    at sun.nio.ch.IOUtil.read(Unknown Source) ~[?:1.8.0_202]
    at sun.nio.ch.SocketChannelImpl.read(Unknown Source) ~[?:1.8.0_202]
    at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:378) ~[mina-core-2.1.3.jar:?]
    at org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:47) ~[mina-core-2.1.3.jar:?]
    at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:519) ~[mina-core-2.1.3.jar:?]
    at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68) ~[mina-core-2.1.3.jar:?]
    at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222) ~[mina-core-2.1.3.jar:?]
    at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211) ~[mina-core-2.1.3.jar:?]
    at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683) ~[mina-core-2.1.3.jar:?]
    at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) ~[mina-core-2.1.3.jar:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) ~[?:1.8.0_202]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) ~[?:1.8.0_202]
7 
2024.08.02 23:12:21 DEBUG [socket_c2s-thread-8]: org.jivesoftware.openfire.net.StanzaHandler - Closing session as an end-of-stream was received: LocalClientSession{address=rlspb-dc/3zvcogkzed, streamID=3zvcogkzed, status=1 (connected), isSecure=false, isDetached=false, serverName='rlspb-dc', isInitialized=false, hasAuthToken=false, peer address='client_ip', presence='
<presence type="unavailable"/>'}
2024.08.02 23:12:21 DEBUG [socket_c2s-thread-8]: org.jivesoftware.openfire.SessionManager - Closing session with address rlspb-dc/3zvcogkzed and streamID 3zvcogkzed does not have SM enabled.