Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mod_scram_upgrade - add example to config #4301

Open
licaon-kter opened this issue Oct 29, 2024 · 3 comments
Open

mod_scram_upgrade - add example to config #4301

licaon-kter opened this issue Oct 29, 2024 · 3 comments

Comments

@licaon-kter
Copy link
Contributor

licaon-kter commented Oct 29, 2024
edited by badlop
Loading

reading https://docs.ejabberd.im/admin/configuration/modules/#mod_scram_upgrade

and then reading https://docs.ejabberd.im/admin/configuration/toplevel/#auth_scram_hash I see

You shouldn’t change this if you already have passwords generated with a different algorithm - users that have such passwords will not be able to authenticate.

gets me confused

if auth_scram_hash is The default value is sha then how can I upgrade?
@licaon-kter licaon-kter mentioned this issue Nov 6, 2024
Open
4 tasks
@badlop
Copy link
Member

badlop commented Nov 7, 2024

The only thing I can say for sure is what I tried:

auth_scram_hash

You shouldn’t change this if you already have passwords generated with a different algorithm - users that have such passwords will not be able to authenticate.

If you setup auth_scram_hash: sha, start ejabberd and register some accounts, their passwords are stored in sha format.

If you then change to auth_scram_hash: sha256, restart ejabberd:

  • new accounts with have the password stored as sha256 and can login correctly
  • old accounts have the password still stored as sha. When ejabberd offers SCRAM-SHA-256 and the client provides a username+password in sha256, it cannot be authenticated.

I wonder how exactly mod_scram_upgrade is designed to be used in practice by an administrator, its use-case.

For example, let's imagine it's SHA-1 right now and SHA-256 is desired. With the configuration is like this:

auth_password_format: scram
auth_scram_hash: sha

Then what should the admin setup?

A) Store new as sha, offer upgrade to sha256?

auth_password_format: scram
auth_scram_hash: sha

modules:
  mod_scram_upgrade:
    offered_upgrades:
      - sha256

B) Store the new as sha256, offer upgrade to sha256?

auth_password_format: scram
auth_scram_hash: sha256

modules:
  mod_scram_upgrade:
    offered_upgrades:
      - sha256

@prefiks any idea here?

I also wonder what clients already support XEP-0480 to test the feature

This was referenced Nov 7, 2024
Open
Open
@Neustradamus
Copy link
Contributor

Currently, I know Monal IM which supports it:

It has been requested for XMPP Clients:

It has been requested for XMPP Library:

It has been requested for XMPP Server:

XEP-0480 is linked to this @tmolitor-stud-tu initial request:

@tmolitor-stud-tu
Copy link

@badlop I guess it is option B) Store the new as sha256, offer upgrade to sha256?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@badlop @Neustradamus @licaon-kter @tmolitor-stud-tu