Skip navigation
Up to Discussions in Openfire Support
3095 Views 7 Replies Latest reply: Aug 13, 2008 8:08 AM by ConFuzedITGuy RSS
piotrmikula Bronze
piotrmikula
7 posts since
Aug 6, 2008
Currently Being Moderated

Aug 7, 2008 6:01 PM

LDAP password save in clear text in openfire.xml

This seems like a major security problem, can this be replaced by some type of encryption bases authentication? so the password is saved as a hash?

 

Thank you

 

-Peter

  • Daryl Herzmann KeyContributor
    Daryl Herzmann
    849 posts since
    Mar 12, 2005
    Currently Being Moderated
    Aug 11, 2008 2:43 PM (in response to piotrmikula)
    Re: LDAP password save in clear text in openfire.xml

    Hi Peter,

     

    The best thing is to guard against your users being able to see this file.  Even storing it as a hash in the file would be tough, since openfire would need to be able to decrypt it and that methodology would be fairly straight forward to do outside of openfire.  If a naughty user can see your file, you are probably in trouble anyway.

     

    I am not well versed in LDAP, but for typical read-only applications, don't folks setup a non-priveledged account that is allowed query access to the server for applications to authenticate with?

     

    I do understand what you are saying tho and your concern...

     

    daryl

  • ConFuzedITGuy Bronze
    ConFuzedITGuy
    67 posts since
    Jul 16, 2008
    Currently Being Moderated
    Aug 13, 2008 5:31 AM (in response to piotrmikula)
    Re: LDAP password save in clear text in openfire.xml

    Although I can see both sides are reasonable, it would be kind of nice to have that cover up... When someone walks by behind you and you happen to be editing the thing it can be kind of... well, insecure.

     

    As with any security, it is just another blanket. It is a journey not a destination.

    • psylem Bronze
      psylem
      5 posts since
      Aug 13, 2008
      Currently Being Moderated
      Aug 13, 2008 5:57 AM (in response to ConFuzedITGuy)
      Re: LDAP password save in clear text in openfire.xml

      Just be careful to consider the consequences of such a feature. You would still have to generate the hash somehow, meaning the config file is no longer a fallback to get the system configured correctly (you are now forced to use a tool other than a simple text editor to configure the system).

       

      The admin gui provides password fields complete with *'s if you don't want people spying over your shoulder

       

      With limited resources, I don't think it's worth it for such a thin veil of protection. If the result would truey protect the password then I'd be all for it.

      • ConFuzedITGuy Bronze
        ConFuzedITGuy
        67 posts since
        Jul 16, 2008
        Currently Being Moderated
        Aug 13, 2008 6:22 AM (in response to psylem)
        Re: LDAP password save in clear text in openfire.xml

        It really doesnt have to be an encryption of sorts... just nock all the letters down one (a=b,b=c,c=d, etc..) I can see where it would be an issue trying to figure that out with a text editor though...

        But hey, I'm behind closed doors and we all know the password here anyway!

        • psylem Bronze
          psylem
          5 posts since
          Aug 13, 2008
          Currently Being Moderated
          Aug 13, 2008 8:02 AM (in response to ConFuzedITGuy)
          Re: LDAP password save in clear text in openfire.xml

          The main reason I think no one would develop such a solution is because the WTF factor from their peers would be overwhelming. What would you think if you reviewed some code that obfuscated a password in a text file with a reversible open source algorithm? I'd be thinking that the guy who wrote it was on crack.

           

          Fake security is worse than no security. Someone is likely to see the password is garbled and assume it's safely encripted instead of ensuring the file has correct permissions because they know full well it contains a plain text password. How long before we see people posting snippets of thier config file containing what they assume to be some kind of harmless hash?

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points