search

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)
https://www.process-one.net/en/ejabberd/
Other
6.08k stars 1.51k forks source link

Add support for SHA-256/512 and/or SHA-3 for password based authentication #3159

Closed bowlofeggs closed 4 years ago

bowlofeggs commented 4 years ago

Greetings!

Is it possible to use SHA-256/512 or SHA-3 for password based authentication, in lieu of SHA-1 or MD5? When reading the docs here, it seems like SHA-256/512 are not supported:

https://docs.ejabberd.im/admin/configuration/#internal

If that is the case, I recommend adding a stronger hash to the list of supported authentication algorithms. SHA-1 is known to be weak, and it is thus not recommended to use it anymore.

licaon-kter commented 4 years ago

/close as duplicate https://github.com/processone/ejabberd/issues/2742

Also, are you sure SCRAM-SHA1 really has the same weaknesses as SHA1? eg. https://www.gnu.org/software/gsasl/manual/html_node/SCRAM_002dSHA_002d1.html

bowlofeggs commented 4 years ago

Hi @licaon-kter, I honestly don't know the difference between SHA-1 and SCRAM-SHA-1.

Neustradamus commented 4 years ago

@ProcessOne: Can you reopen #2742, it is always closed...

@bowlofeggs: RFC5208 -> https://tools.ietf.org/html/rfc5802

Neustradamus commented 3 years ago

Good news, there are new informations:

Note, after SCRAM-SHA-1(-PLUS):

Neustradamus commented 3 years ago

@bowlofeggs: @prefiks has done a lot of work about SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS).

SCRAM-SHA3-512(-PLUS) will be added, I think, when the RFC will be here, draft link in the previous comment.

Neustradamus commented 11 months ago

@bowlofeggs: New improvements have been added recently!