Skip to content

Commit

Permalink
Disable SASL PLAIN authentication
Browse files Browse the repository at this point in the history 
This disables the PLAIN mechanism for SASL authentication which would
transmit a users password as plain text during. Instead only the
SCRAM-SHA-1 and SCRAM-SHA-1-PLUS mechanisms are supported now.

As SCRAM-SHA1 and SCRAM-SHA1-PLUS are mandatory to be supported by XMPP
clients and servers and were prioritised higher than the PLAIN mechansim
in the preference order by ejabberd before, this doesn't change how XMPP
clients connect, but avoids unintentional use of the PLAIN mechanism in
rare circumstances.

Please note that these changes only affect authentication of registered
users. During inband registration the password is still submitted in
plain text.
  • Loading branch information
@Dunedan
Dunedan committed Dec 7, 2023
1 parent 0c14e6f commit 5e4432a
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion roles/ejabberd/templates/ejabberd.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,8 @@ acme:
## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
## password storage (see auth_password_format option).
disable_sasl_mechanisms:
- "digest-md5"
- "PLAIN"
- "DIGEST-MD5"
- "X-OAUTH2"

s2s_use_starttls: required
Expand Down

0 comments on commit 5e4432a

Please sign in to comment.