badlop
commented
5 days ago The only thing I can say for sure is what I tried:
auth_scram_hash
You shouldn’t change this if you already have passwords generated with a different algorithm - users that have such passwords will not be able to authenticate.
If you setup auth_scram_hash: sha, start ejabberd and register some accounts, their passwords are stored in sha format.
If you then change to auth_scram_hash: sha256, restart ejabberd:
- new accounts with have the password stored as sha256 and can login correctly
- old accounts have the password still stored as sha. When ejabberd offers SCRAM-SHA-256 and the client provides a username+password in sha256, it cannot be authenticated.
I wonder how exactly mod_scram_upgrade is designed to be used in practice by an administrator, its use-case.
For example, let's imagine it's SHA-1 right now and SHA-256 is desired. With the configuration is like this:
auth_password_format: scram
auth_scram_hash: shaThen what should the admin setup?
A) Store new as sha, offer upgrade to sha256?
auth_password_format: scram
auth_scram_hash: sha
modules:
mod_scram_upgrade:
offered_upgrades:
- sha256B) Store the new as sha256, offer upgrade to sha256?
auth_password_format: scram
auth_scram_hash: sha256
modules:
mod_scram_upgrade:
offered_upgrades:
- sha256@prefiks any idea here?
I also wonder what clients already support XEP-0480 to test the feature
Neustradamus
tmolitor-stud-tu
reading https://docs.ejabberd.im/admin/configuration/modules/#mod_scram_upgrade
and then reading https://docs.ejabberd.im/admin/configuration/toplevel/#auth_scram_hash I see
gets me confused
if
auth_scram_hashisThe default value is shathen how can I upgrade?