Ejabberd: auth_method anonymous disables SCRAM-SHA-1 (Conversations stops working)

Created on 21 Feb 2019  路  6Comments  路  Source: processone/ejabberd

After upgrading from 16.09-4 to 18.12.1 in Debian stretch I messed up the ejabberd.yml configuration and most of my Conversations user stopped logging in with "Degraded SASL mechanism".
Ejabberd was offering ANONYMOUS and PLAIN.
After disabling auth_method ANONYMOUS, ejabberd started offering PLAIN and SCRAM-SHA-1 again and all is well.
I suppose ANONYMOUS disabling SCRAM-SHA-1 is a bug.

Bug Authentication
Source
picture radiocane
👀1

All 6 comments

The bug is confirmed.

zinid picture zinid on 21 Feb 2019

For the record, the mechanisms selection is performed here: https://github.com/processone/ejabberd/blob/18.12.1/src/ejabberd_c2s.erl#L354
Since ejabberd_auth_anonymous:store_type/1 returns external (WTF???), SCRAM is ruled out.
After playing a bit with the code I decided that functions ejabberd_auth:store_type() and ejabberd_auth:plain_password_required are completely broken. For example, when auth_password_format is set to scram, then ejabberd_auth_mnesia:plain_password_required returns true (WTF???)

zinid picture zinid on 21 Feb 2019
🚀1

Any news about it?

Neustradamus picture Neustradamus on 3 Nov 2019

@prefiks, @badlop, @mremond: Have you looked this security problem?
Thanks in advance.

Neustradamus picture Neustradamus on 31 Oct 2020

Should be fixed by d8d9ef32adf75caa93477692e0a423f8a4c4de6b

prefiks picture prefiks on 14 Dec 2020
1

Thanks @prefiks!

@radiocane: Can you test it?
It is now perfect?

Neustradamus picture Neustradamus on 14 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

licaon-kter picture licaon-kter  路  4Comments
Vshnv picture Vshnv  路  4Comments
lgg picture lgg  路  4Comments
rahul-l picture rahul-l  路  3Comments
SamWhited picture SamWhited  路  4Comments