Hello Andris, On Aug 4, 2011, at 15:22 , Andris Pavenis wrote:
> There is note in TPluginApiAgent::CheckLogin() that plain text authentication > is impossible when plugin uses password verifucation type > Password_MD5_Nonce_IN. > > I guess it is still possible as one have access to > - user name > - password > - nonce value (it may however be queried in the begin of method) > From these data one can generate MD5(MD5(user:pwd):nonce) > to provide to the plugin for authentication. This situation is useful > when real authentication check is provided by other server outside > the libsynthesis plugin and this server does not provide autside > access neither to password nor MD5(user:pwd). Makes perfect sense. Thanks for the patch! Would you mind entering the contributor agreement (see explanation and link at http://www.synthesis.ch/indefero/index.php/p/libsynthesis/), so I can include the patch into the libsynthesis repo? I don't recall why I decided to reject plain text auth with a DB that can check MD5+nonce when I wrote that code. Probably I didn't believe that clients would actually use plain text auth any more. But as you point out, using it is not completely insane if transport is always SSL (I hope it is, in case of that Fumabol client?). Still, I see no reason why any client should still use plain text. It's simply bad practice to transmit original secrets. Of course you can't intercept them from the SSL connection, but all layers of the software at the server end of the SSL connection will see and pass that secret around. That does not speak against your patch, of course! > Attached is some very preliminary patch to include support > for plain text login in this case. It does not check config setting > whether plain text authorisation should be allowed at all > (plain text login is not so bad evil in case of using SSL). There's no need to check that in the plugin. Checking if plain text auth is allowed at all in the config is done in SyncSession for all types of DB backends (after asking the plugin - so even if the plugin says ok, but config disallows plain text, the login will be rejected). > With this patch authentication of Funambol Android client > from Android Market (which uses plain text login and XML) > suceeded even if this cĺient still does not working with > libsynthesis based server (and seems that I'll have to give > up in attempts to get it working). :-( What kind of other obstacles did you run into with that client? Best Regards, Lukas Lukas Zeller, plan44.ch l...@plan44.ch - www.plan44.ch _______________________________________________ os-libsynthesis mailing list os-libsynthesis@synthesis.ch http://lists.synthesis.ch/mailman/listinfo/os-libsynthesis
