[JDEV] Passwords, zero-K and storage

[DJ Adams]

Hi all

there was a question in the jdev room about how to avoid storing usernames
and passwords in the .xml files on the server.[1] 

I blurted out 'zero-K!' for half the answer - a way of "removing the 
liability of storing password on the server"[2]. This was followed by
another answer a couple of mins later which contradicted me. I tried
it out on my server, and sure enough, even when the mod_auth_plain and
mod_auth_digest modules were commented out of JSM's load list, a password
in plain text was stored on the server as well as the zero-K stuff. 

Hmmm, I thought. And went about my business, sheepishly. But this 
contradiction played on my mind, until such time as now where it has
forced me out of bed to check it out. 

The reason why this is the case (plaintext password stored despite 
only using the zero-K auth module) is because of mod_register, which
stores the password, in the NS_AUTH space, when a user registers, 
regardless of what it's fellow e_REGISTER event handlers (mod_auth_plain
and mod_auth_0k [3]) are designed to do, or so it seems. 

Here's the relevant bit in mod_auth_plain:

int mod_auth_plain_reset(mapi m, jid id, xmlnode pass)
{
log_debug("mod_auth_plain","resetting password");
if(xmlnode_get_data(pass) == NULL) return 1;

xmlnode_put_attrib(pass,"xmlns",NS_AUTH);
return xdb_set(m->si->xc, jid_user(id), NS_AUTH, pass);   <
}

and here's the relevant bit in mod_auth_0k:

int mod_auth_0k_reset(mapi m, jid id, xmlnode xpass)

...

}else{ /* make them exist with an empty password */
log_debug(ZONE,"NS_AUTH check - user DOES NOT exist");
x = xmlnode_new_tag_pool(xmlnode_pool(xpass),"password");
xmlnode_put_attrib(x,"xmlns",NS_AUTH);
if(xdb_set(m->si->xc, jid_user(id), NS_AUTH, x))  <
return 1; /* uhoh */
}

Both store a password (plaintext, or empty, respectively) in NS_AUTH space.

So mod_register doesn't need to - and even if it were to, how would it
know about the existence (or not) of mod_auth_plain or mod_auth_0k, i.e.
how could it know about whether to store a plaintext or an empty 
password? It doesn't, and goes ahead and does the former:

mreturn mod_register_new(mapi m, void *arg)

...

/* try to save the auth data */
if(xdb_set(m->si->xc, jid_user(m->packet->to), NS_AUTH, 
xmlnode_get_tag(m->packet->iq,"password")))   <
{
jutil_error(m->packet->x, TERROR_FORBIDDEN); 
break;
}
 
I'm aware of other related issues regarding existence checks for users,
but am trying to keep them separate from what I see as a bit of an
issue with server-side password storage and administrator expectations.

Anyway, I would suggest that the snippet of code in mod_register_new()
shown above is both redundant and wrong, and should be removed. The 
purpose of this code is served by mod_auth_plain and / or mod_auth_0k.

Of course, I'm ready to be contradicted again; I'd like to hear what
others think. I've tried this out (removing the snippet) on my test
server and it solves the problem and doesn't cause any others, as far
as my minimal testing has shown.

What do you think?

dj


[1] http://perl.jabber.org/logs/conference.jabber.org/jdev/2001-06-12.html
at around 13:16pm

[2] http://docs.jabber.org/draft-proto/html/zerok.html

[3] and mod_last too, but this doesn't count here
___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

Re: [JDEV] JabWiki Up for comments

[Peter Saint-Andre]

Wiki rocks! Thanks, Harold, for putting this together. :)

On Thu, 14 Jun 2001, Harold E. Gottschalk Jr. wrote:

> I have JabWiki up and running for comments.  Please review the site
> http://jab.sirlabs.com/jabwiki/.
> 
> What I would like is comments on are the topics in the Jabelin area and the
> Foundation Area.  These Areas can be customized to suit our needs, the
> Foundation Area can be set up to handle Jig(s) and Jep(s).
> 
> Please let me know what you think and would like.
> 
> Thanks
> heg
> 
> Sorry for the multiple post.
> 

___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

Re: [JDEV] Yahoo transport problem

[Ron Smits]

Kevin Limperos wrote:

There is a new version of yahoo-transport in cvs that fixed it, thanks 
to x-virge and TSBandit for picking it up when I had to resort to gdb to 
find the \006 :)

Ron


___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

[JDEV] Yahoo transport problem

[Kevin Limperos]

Hi,
Yesterday I noticed a problem with the Yahoo transport, which I had been 
running for over 2 weeks. It decided to stop sending messages back to 
WinJab from Yahoo clients - although WinJab could still send outbound 
messages. Could this be due to a Yahoo protocol change, since it seems to 
correspond with the release of a new Yahoo Messenger client? If so, is 
there/will there be a new version of the Yahoo transport available soon? 
Thank you.

Kevin Limperos


Log excerpt from Yahoo transport follows:
---
Thu Jun 14 17:20:23 2001  yahoo Received packet:
Thu Jun 14 17:20:23 2001  yahoo Service = (6) Message
Thu Jun 14 17:20:23 2001  yahoo Real ID = komnipod
Thu Jun 14 17:20:23 2001  yahoo Active ID = komnipod
Thu Jun 14 17:20:23 2001  yahoo Connection ID = 6889769D
Thu Jun 14 17:20:23 2001  yahoo Magic ID = 6D22
Thu Jun 14 17:20:23 2001  yahoo Unknown Flag 1 = 86D46AC7
Thu Jun 14 17:20:23 2001  yahoo Message Type = 1
Thu Jun 14 17:20:23 2001  yahoo Raw Content = komnipod,,nachos!^F
Thu Jun 14 17:20:23 2001  deliver.c:460 DELIVER 1:themonitor.omnipod.com 
nachos!^F
Thu Jun 14 17:20:23 2001  deliver.c:649 delivering to instance 'yahoolinker'
Thu Jun 14 17:20:23 2001  mio.c:908 mio_write called on x: 81752B8 buffer: 
(null)
Thu Jun 14 17:20:23 2001  mio.c:268 write_dump writing data: nachos!^F
Thu Jun 14 17:20:23 2001  mio.c:698 MIO read from socket 5: 
Invalid XML
Thu Jun 14 17:20:23 2001  base_connect.c:118 process XML: m:81751C8 
state:3, arg:80C19B8, x:8178548
Thu Jun 14 17:20:23 2001  log.c:105 Packet Delivery Failed, invalid packet, dropping 
Invalid XML
Thu Jun 14 17:20:23 2001  deliver.c:460 DELIVER 3:-internal Packet Delivery Failed, invalid packet, 
dropping Invalid XML

___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

[JDEV] RE: [jabber-win32-server] GSETSS Site

[Jim Powell]

My office is moved, all of the servers are back up.  I will try to get the
win32 server back online tomorrow.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Powell, Jim (EER)
Sent: Thursday, June 14, 2001 12:49 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [jabber-win32-server] GSETSS Site

The GSETSS set of Win32 Jabber Server Development servers (which includes
the http site, the ftp site, the internal mail list, and the shared folders)
will be down for approximately 24 hrs during a move.  My landlord decided
not to pay his mortgage, so I am in the process of moving to a new office,
which actually works better for the local employees.  The site should be
back up no later than 1700 PT Friday June 15, and probably sooner.

For those of you that are unaware of the development status, we currently
have a Jabber Server which runs under Cygwin, for which the transports are
being ported.  I personally am working on a MingW port which will run
"native" (meaning no extra shell required) under win32 (I am using Dev-C++,
an opensource IDE for the MingW compiler).  Once that is running the win32
team will begin looking at a true native port of the Jabber Server which
will compile and run using Win32 specific compilers (C++ Builder, Visual
C++, etc).


Jim Powell
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Owner
Gemstar Software & Engineering Technical Support Services
___
Win32-server mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/win32-server


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

[JDEV] Jablient is up on jabWiki

[Harold E. Gottschalk Jr.]

I have set up a 
jabber client area on Jabwiki and have named it 
Jablient.
 
heg

[JDEV] JabWiki is for Clients Also

[Harold E. Gottschalk Jr.]

sek,
Client development can be supported also or any other area of interest.  We
just need to set up an area for that, not a problem.
heg


>Hi,
>Would this be a place to share ideas on client development?
>Or just server development?
>-sek

___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

RE: [JDEV] Patch for Jabber Server v1.4

[Matt Diez]

Title: RE: [JDEV] Patch for Jabber Server v1.4





I'm not sure as to how opposed you are to running 
Java as part of your server setup, but you might
also consider trying out xdb_java (http://www.sf.net/projects/xdbjava)
as a bridge between MS SQL Server 2000 and Jabber.


Of course, I haven't tried it with SQL Server yet,
but I have it running currently with PostgreSQL and
DB2.


If you could give it a shot, I'd be highly appreciative,
particularly if you meet with success.


Matthew D. Diez
[EMAIL PROTECTED]


-Original Message-
From: Aurélien Gâteau [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 15, 2001 4:37 AM
To: [EMAIL PROTECTED]
Subject: [JDEV] Patch for Jabber Server v1.4



Hi !


I'm pretty new to this list (I just subscribed five minutes ago :o), so please tell me if I don't do everything as I should.

My company is developping a peer-to-peer application for genealogists and we are in the process of adding support for 
Instant Messaging, thanks to Jabber.


Our server is running MS SQL Server 2000. As it doesn't seem possible to get Jabber use a SQL Server database for 
users yet, we decided to create/update/delete users on Jabber whenever the SQL Server database was modified. I 
created a tool to register user on the Jabber server when such changes happened and a tool to automatically recreate 
Jabber users from the SQL Server users to get the existing users up to date and to be able to resynchronize Jabber in 
case anything bad happens... 
This tool was often getting connection limited by the Jabber server. Therefore I modified the server to allow bypassing 

Karma for a specific address. In the xml config file, you need to do something like this :

...
  
...
    
  12.13.14.15
...
    
...
  
...



It's a little rough right now (no multiple IP or masks) but it seems to work well.
Could you tell me what you think about it ?


Regards,
  Aurelien

[JDEV] Re: Re: [jadmin] DNS

[Maciek Borowka]

Is it possible to actually have a transport on another machine that
the jabber server?
like that:
foo.com -> 192.168.1.1
icq.foo.com -> 192.162.1.2

/Maciek

On Fri, 15 Jun 2001 08:06:51 -0400, Mike Rambo <[EMAIL PROTECTED]> 
wrote :

> Assume your Jabber server is named jabber.domain.tld.
> 
> Obviously the machine name itself resolves to that IP - but each
> transport you use must also resolve to the same IP like:
> 
> aim.jabber.domain.tld (if you use aim transport)
> msn.jabber.domain.tld (if you use msn transport)
> 
> etc. etc.
> 
> I think the recommendation is to just use 'A' records to resolve those
> names to IP's rather than CNAME's.
> 
> Once DNS is set up, nslookup should return the address of your server
> for not only the server name itself, but also for the server name with
> each jabber transport your choose to use prepended (if that's a real
> word ;-) as shown above.
> 
> 
> -- 
> Mike Rambo
> [EMAIL PROTECTED]
> 
> 
> Adam Theo wrote:
> > 
> > hello, all.
> > 
> > i understand i do not need root access for the jabber 1.4.1 server, and
> > i understand how to set it up, except i want, *need* to make absolutely
> > sure of what i need the DNS info to be. you see, i am on a virtual host,
> > and although i canhave the DNS info of my account changed, it will cost
> > be a bit. so instead of spending $$ to have it changed, just to find out
> > i had it done incorrectly, will, well, suck.
> > 
> > so, please, if someone can humour me and exlain as detailed as possible
> > exactly what i will need to do to the DNS info, from beginning to end, i
> > would greatly appreciate it.
> > 
> > if i can get this server running, i will gladly contribute it to the
> > jabber community as another server for users to have accounts on. a
> > public server. i will also be using it to do a *bit* of experimenting
> > on, but really what i have in mind shouldn't affect the performance or
> > reliability of the server or system itself, so you can consider it a
> > stable server focused on reliability.
> > 
> > thanks all.
> > 
> > ___
> > jadmin mailing list
> > [EMAIL PROTECTED]
> > http://mailman.jabber.org/listinfo/jadmin
> ___
> jadmin mailing list
> [EMAIL PROTECTED]
> http://mailman.jabber.org/listinfo/jadmin
> 
> 
> 
> 




___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

Re: [JDEV] Patch for Jabber Server v1.4

[Gerard BUNEL]

Aurélien Gâteau a écrit :

> >You could have used a modified version of xdb_sql so that you users should be 
>retreived from your SQL Server.
> >Modified in the sense that it actually use specific SQL tables. You should modify 
>the SQL requests to match your
> >own tables.
>
> Do you mean that the only change I need to apply is the name of the table ? I just 
>looked at it and it seems that for now
> it only supports PostGres or MySQL. It's an interesting idea, anyway, I might try to 
>add support for ODBC (Do you know
> good ODBC libraries for Linux ?)
>

Probably not only the table names but also Column names and relations between tables.
Yes, you're right about drivers, it currently does not support SQL Server.
I know about a unix ODBC port, simply called unixODBC.
You should find it at http://www.unixODBC.org/

Gerard

>
> Regards,
>   Aurélien
>
> ___
> jdev mailing list
> [EMAIL PROTECTED]
> http://mailman.jabber.org/listinfo/jdev

--
[EMAIL PROTECTED] - Atlantide - http://www.ago.fr/atlantide/
Technopole Brest Iroise BP 80802 - Site du Vernis - 29608 Brest cedex - France
Tel. : +33 2 98 05 43 21 - Fax. : +33 2 98 05 20 34
e-mail: [EMAIL PROTECTED]
Centre Affaires Oberthur - 74D, rue de Paris -  35700 Rennes - France
Tel. : +33 2 99 84 15 84 - Fax : +33 2 99 84 15 85
e-mail: [EMAIL PROTECTED]


___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

Re: [JDEV] Patch for Jabber Server v1.4

[Aurélien Gâteau]

>You could have used a modified version of xdb_sql so that you users should be 
>retreived from your SQL Server.
>Modified in the sense that it actually use specific SQL tables. You should modify the 
>SQL requests to match your
>own tables.

Do you mean that the only change I need to apply is the name of the table ? I just 
looked at it and it seems that for now 
it only supports PostGres or MySQL. It's an interesting idea, anyway, I might try to 
add support for ODBC (Do you know 
good ODBC libraries for Linux ?)

Regards,
  Aurélien

___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

Re: [JDEV] Developing a Jabber-Based application

[Adam Theo]

the online games idea:

yes, i agree with you, mr sietsma. i had been thinking a online game 
appliocation using jabber for communication would be excellent. i doubt 
there would be able to be any one spec or applicattion that could 
provide a framework for all or even most types of simple interactive 
games, but jabber spec should provide a new tag (other than having to 
use message), better yet, a new type of message ("interface" or 
something like that for example.). such a new feature would act as a 
'namespace', to allow third parties to insert their own specs and 
interfaces into a jabber message.

the first thing i guess would be to allow forms in a jabber message. 
that would take a huge step towards it, and may even provide that 
universal framework. if a game manager could set up a set of 'jabber 
forms' templates to send out as messages in a jabber message, the gamers 
could use it to reply to their game moves, actions, etc. the forms 
values could then be processed either manually by the moderator, or 
automatically by a game server.

i was thinking of something similar b/c i have out on my list of "1 to 2 
year future plans" list a system that ran on jabber to run detailed, 
multi-player "risk/axis and allies" style games.

i would like to work with anyone else on this project, but i would not 
be able to start any time soon, since i have way too many things on my 
plate as it is. if anyone wants to help me work on this jabber games 
project, you will first have to help me on my other projects  :)

i am trying to start up a couple of mailing lists, and promoting them is 
taking up a good chunk of my time. one is the Theoretic Bazaar 
(http://www.theoretic.com/bazaar), a mailing list to help educate 
"newbies" to open source software. it is mostly intended for end users 
(*individuals and businesses alike), but also is open to developers, as 
long as they have some questions about open source in general and want 
to know how it can benefit them. the other is Theoretic Cauldron 
(http://www.theoretic.com/cauldron), a mailing list to explore ways for 
developers of open source to prosper off of their work.

i also have two time related utility programs, both in Perl, and use XML 
(two of my favorite computer languages). one is an alarm clock program 
(http://www.theoretic.com/alarm), which i have big plans for, and wose 
ideas i have for it will take it quite beyond what it is now. and also a 
timer/stopwatch program (http://www.theoretic.com/timer) which basically 
counts up or down from a set time. yeah, a stop watch/egg timer program  
:). both of them are simple at the moment, but i have grand plans and 
ideas for them. i just need the time to impliment the ideas. i am 
looking for someone to take the projects over, and maybe also work on a 
'schedule' program i've had ideas for. i would want to keep them at 
theoretic.com, but i would name you as the primary developer, and head 
of the project. you'd be in control. any takers? contact me, i'll 
explain what i want.

i am also working on releasing a 'copy press' program, which i have used 
to create my website, but am now looking to 'generalize' it and release 
it. it is in Perl, and uses xml::simple and template::toolkit to take 
xml files containg data for the webpage, and applies it to a template, 
for dynamically created 'hard' webpages (as opposed to on-the-fly 
generated pages with extra overhead and greater security risk). i have 
*some* ideas for it, but i have not had the time to really brainstorm on 
it yet. if you are interesteed on working on it for me (also at 
theoretic.com, but you'd be the head of the project), contact me.

Adam Theo:
email: [EMAIL PROTECTED]
jabber: [EMAIL PROTECTED]
icq: 3617306
aim: adamtheo2000

thanks, all.

___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

Re: [JDEV] Patch for Jabber Server v1.4

[Gerard BUNEL]

Aurélien Gâteau a écrit :

> Hi !
>
> I'm pretty new to this list (I just subscribed five minutes ago :o), so please tell 
>me if I don't do everything as I should.
>
> My company is developping a peer-to-peer application for genealogists and we are in 
>the process of adding support for
> Instant Messaging, thanks to Jabber.
>
> Our server is running MS SQL Server 2000. As it doesn't seem possible to get Jabber 
>use a SQL Server database for
> users yet, we decided to create/update/delete users on Jabber whenever the SQL 
>Server database was modified. I
> created a tool to register user on the Jabber server when such changes happened and 
>a tool to automatically recreate
> Jabber users from the SQL Server users to get the existing users up to date and to 
>be able to resynchronize Jabber in
> case anything bad happens...

You could have used a modified version of xdb_sql so that you users should be 
retreived from your SQL Server.
Modified in the sense that it actually use specific SQL tables. You should modify the 
SQL requests to match your
own tables.

>
> This tool was often getting connection limited by the Jabber server. Therefore I 
>modified the server to allow bypassing
> Karma for a specific address. In the xml config file, you need to do something like 
>this :
> 
> ...
>   
> ...
> 
>   12.13.14.15
> ...
> 
> ...
>   
> ...
> 
>
> It's a little rough right now (no multiple IP or masks) but it seems to work well.
> Could you tell me what you think about it ?
>
> Regards,
>   Aurelien
>
>   
>Name: bypasskarma.diff
>bypasskarma.diffType: type non spécifié (application/octet-stream)
>Encoding: Base64

--
[EMAIL PROTECTED] - Atlantide - http://www.ago.fr/atlantide/
Technopole Brest Iroise BP 80802 - Site du Vernis - 29608 Brest cedex - France
Tel. : +33 2 98 05 43 21 - Fax. : +33 2 98 05 20 34
e-mail: [EMAIL PROTECTED]
Centre Affaires Oberthur - 74D, rue de Paris -  35700 Rennes - France
Tel. : +33 2 99 84 15 84 - Fax : +33 2 99 84 15 85
e-mail: [EMAIL PROTECTED]


___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

Re: [JDEV] Patch for Jabber Server v1.4

[Rodolphe Duge de Bernonville]

Aurélien Gâteau a écrit :
> 
> Hi !
> 
> I'm pretty new to this list (I just subscribed five minutes ago :o), so please tell 
>me if I don't do everything as I should.
> 
> My company is developping a peer-to-peer application for genealogists and we are in 
>the process of adding support for
> Instant Messaging, thanks to Jabber.
> 
> Our server is running MS SQL Server 2000. As it doesn't seem possible to get Jabber 
>use a SQL Server database for
> users yet, we decided to create/update/delete users on Jabber whenever the SQL 
>Server database was modified. I
> created a tool to register user on the Jabber server when such changes happened and 
>a tool to automatically recreate
> Jabber users from the SQL Server users to get the existing users up to date and to 
>be able to resynchronize Jabber in
> case anything bad happens...
> This tool was often getting connection limited by the Jabber server. Therefore I 
>modified the server to allow bypassing
> Karma for a specific address. In the xml config file, you need to do something like 
>this :
> 
> ...
>   
> ...
> 
>   12.13.14.15
> ...
> 
> ...
>   
> ...
> 
> 
> It's a little rough right now (no multiple IP or masks) but it seems to work well.
> Could you tell me what you think about it ?
> 

hello !

well its a solution ... but maybe not the best ...
you could change your database and use xdb_sql
(http://download.jabber.org/contrib/)
(or rewrite it to acces MS SQL Server directly or via ODBC ?).
a simpler solution would also be to create xml user file in
jabber/spool/your_host
with a little script.
___
jdev mailing list
[EMAIL PROTECTED]
http://mailman.jabber.org/listinfo/jdev

[JDEV] Patch for Jabber Server v1.4

[Aurélien Gâteau]

Hi !

I'm pretty new to this list (I just subscribed five minutes ago :o), so please tell me 
if I don't do everything as I should.

My company is developping a peer-to-peer application for genealogists and we are in 
the process of adding support for 
Instant Messaging, thanks to Jabber.

Our server is running MS SQL Server 2000. As it doesn't seem possible to get Jabber 
use a SQL Server database for 
users yet, we decided to create/update/delete users on Jabber whenever the SQL Server 
database was modified. I 
created a tool to register user on the Jabber server when such changes happened and a 
tool to automatically recreate 
Jabber users from the SQL Server users to get the existing users up to date and to be 
able to resynchronize Jabber in 
case anything bad happens... 
This tool was often getting connection limited by the Jabber server. Therefore I 
modified the server to allow bypassing 
Karma for a specific address. In the xml config file, you need to do something like 
this :

...
  
...

  12.13.14.15
...

...
  
...


It's a little rough right now (no multiple IP or masks) but it seems to work well.
Could you tell me what you think about it ?

Regards,
  Aurelien

 bypasskarma.diff