aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--core/usermanager.lua18
-rw-r--r--plugins/mod_register.lua5
-rw-r--r--plugins/mod_saslauth.lua16
-rw-r--r--plugins/mod_tls.lua5
-rw-r--r--prosody.cfg.lua.dist178
-rw-r--r--util/sasl/digest-md5.lua2
6 files changed, 120 insertions, 104 deletions
diff --git a/core/usermanager.lua b/core/usermanager.lua
index 6b19b651..8d7270c2 100644
--- a/core/usermanager.lua
+++ b/core/usermanager.lua
@@ -14,11 +14,15 @@ local ipairs = ipairs;
local hashes = require "util.hashes";
local jid_bare = require "util.jid".bare;
local config = require "core.configmanager";
+local hosts = hosts;
module "usermanager"
+local function is_cyrus(host) return config.get(host, "core", "sasl_backend") == "cyrus"; end
+
function validate_credentials(host, username, password, method)
log("debug", "User '%s' is being validated", username);
+ if is_cyrus(host) then return nil, "Legacy auth not supported with Cyrus SASL."; end
local credentials = datamanager.load(username, host, "accounts") or {};
if method == nil then method = "PLAIN"; end
@@ -48,14 +52,26 @@ function validate_credentials(host, username, password, method)
end
function get_password(username, host)
- return (datamanager.load(username, host, "accounts") or {}).password
+ if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end
+ return (datamanager.load(username, host, "accounts") or {}).password
+end
+function set_password(username, host, password)
+ if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end
+ local account = datamanager.load(username, host, "accounts");
+ if account then
+ account.password = password;
+ return datamanager.store(username, host, "accounts", account);
+ end
+ return nil, "Account not available.";
end
function user_exists(username, host)
+ if is_cyrus(host) then return true; end
return datamanager.load(username, host, "accounts") ~= nil; -- FIXME also check for empty credentials
end
function create_user(username, password, host)
+ if is_cyrus(host) then return nil, "Account creation/modification not available with Cyrus SASL."; end
return datamanager.store(username, host, "accounts", {password = password});
end
diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua
index 2a25d1d0..b8d142f7 100644
--- a/plugins/mod_register.lua
+++ b/plugins/mod_register.lua
@@ -12,6 +12,7 @@ local st = require "util.stanza";
local datamanager = require "util.datamanager";
local usermanager_user_exists = require "core.usermanager".user_exists;
local usermanager_create_user = require "core.usermanager".create_user;
+local usermanager_set_password = require "core.usermanager".set_password;
local datamanager_store = require "util.datamanager".store;
local os_time = os.time;
local nodeprep = require "util.encodings".stringprep.nodeprep;
@@ -34,7 +35,7 @@ module:add_iq_handler("c2s", "jabber:iq:register", function (session, stanza)
local username, host = session.username, session.host;
--session.send(st.error_reply(stanza, "cancel", "not-allowed"));
--return;
- usermanager_create_user(username, nil, host); -- Disable account
+ usermanager_set_password(username, host, nil); -- Disable account
-- FIXME the disabling currently allows a different user to recreate the account
-- we should add an in-memory account block mode when we have threading
session.send(st.reply(stanza));
@@ -69,7 +70,7 @@ module:add_iq_handler("c2s", "jabber:iq:register", function (session, stanza)
username = nodeprep(table.concat(username));
password = table.concat(password);
if username == session.username then
- if usermanager_create_user(username, password, session.host) then -- password change -- TODO is this the right way?
+ if usermanager_set_password(username, session.host, password) then
session.send(st.reply(stanza));
else
-- TODO unable to write file, file may be locked, etc, what's the correct error?
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index f2fe44ea..c0360553 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -35,7 +35,9 @@ local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas';
local new_sasl;
-if sasl_backend == "cyrus" then
+if sasl_backend == "builtin" then
+ new_sasl = require "util.sasl".new;
+elseif sasl_backend == "cyrus" then
prosody.unlock_globals(); --FIXME: Figure out why this is needed and
-- why cyrussasl isn't caught by the sandbox
local ok, cyrus = pcall(require, "util.sasl_cyrus");
@@ -46,14 +48,12 @@ if sasl_backend == "cyrus" then
return cyrus_new(realm, module:get_option("cyrus_service_name") or "xmpp");
end
else
- sasl_backend = "builtin";
- module:log("warn", "Failed to load Cyrus SASL, falling back to builtin auth mechanisms");
- module:log("debug", "Failed to load Cyrus because: %s", cyrus);
+ module:log("error", "Failed to load Cyrus SASL because: %s", cyrus);
+ error("Failed to load Cyrus SASL");
end
-end
-if not new_sasl then
- if sasl_backend ~= "builtin" then module:log("warn", "Unknown SASL backend %s", sasl_backend); end;
- new_sasl = require "util.sasl".new;
+else
+ module:log("error", "Unknown SASL backend: %s", sasl_backend);
+ error("Unknown SASL backend");
end
local default_authentication_profile = {
diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua
index b30ad3f3..8b96aa15 100644
--- a/plugins/mod_tls.lua
+++ b/plugins/mod_tls.lua
@@ -10,6 +10,7 @@ local st = require "util.stanza";
local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
local secure_s2s_only = module:get_option("s2s_require_encryption");
+local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
local starttls_attr = { xmlns = xmlns_starttls };
@@ -27,9 +28,9 @@ local host = hosts[module.host];
local function can_do_tls(session)
if session.type == "c2s_unauthed" then
return session.conn.starttls and host.ssl_ctx_in;
- elseif session.type == "s2sin_unauthed" then
+ elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
return session.conn.starttls and host.ssl_ctx_in;
- elseif session.direction == "outgoing" then
+ elseif session.direction == "outgoing" and allow_s2s_tls then
return session.conn.starttls and host.ssl_ctx;
end
return false;
diff --git a/prosody.cfg.lua.dist b/prosody.cfg.lua.dist
index 021f6f11..c959b4fe 100644
--- a/prosody.cfg.lua.dist
+++ b/prosody.cfg.lua.dist
@@ -34,85 +34,85 @@
-- Server-wide settings go in this section
Host "*"
- -- This is a (by default, empty) list of accounts that are admins for the
- -- server. Note that you must create the accounts separately (see
- -- http://prosody.im/doc/creating_accounts)
- -- Example: admins = { "user1@example.com", "user2@example.net" }
- admins = { }
-
- -- Enable use of libevent for better performance under high load
- -- For more information see: http://prosody.im/doc/libevent
- --use_libevent = true;
-
- -- This is the list of modules Prosody will load on startup. It looks for
- -- mod_modulename.lua in the plugins folder, so make sure that exists too.
- -- Documentation on modules can be found at: http://prosody.im/doc/modules
- modules_enabled = {
- -- Generally required
- "roster"; -- Allow users to have a roster. Recommended ;)
- "saslauth"; -- Authentication for clients and servers. Recommended if
- -- you want to log in.
- "dialback"; -- s2s dialback support
- "disco"; -- Service discovery
- "posix"; -- POSIX functionality, daemonizes, enables syslog, etc.
-
- -- Not essential, but recommended
- "private"; -- Private XML storage (for room bookmarks, etc.)
- "vcard"; -- Allow users to set vCards
- "privacy"; -- Support privacy lists
- "tls"; -- Support for secure TLS on c2s/s2s connections
- --"compression"; -- Stream compression for client-to-server streams
-
- -- Nice to have
- "legacyauth"; -- Legacy authentication. Only used by some old
- -- clients and bots.
- "version"; -- Replies to server version requests
- "uptime"; -- Report how long server has been running
- "time"; -- Let others know the time here on this server
- "ping"; -- Replies to XMPP pings with pongs
- "pep"; -- Enables users to publish their mood, activity, playing
- -- music and more
- "register"; -- Allow users to register on this server using a client
- -- and change passwords
-
- -- Other specific functionality
- --"console"; -- telnet to port 5582
- -- (needs console_enabled = true)
- --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
- --"httpserver"; -- Serve static files from a directory over
- -- HTTP
- --"groups"; -- Shared roster support
- --"announce"; -- Send announcement to all online users
- --"welcome"; -- Welcome users who register accounts
- --"watchregistrations"; -- Alert admins of registrations
- }
-
- -- These modules are auto-loaded, should you for (for some mad
- -- reason) want to disable them then uncomment them below.
- modules_disabled = {
- --"presence";
- --"message";
- --"iq";
- }
-
- -- Disable account creation by default, for security
- -- For more information see http://prosody.im/doc/creating_accounts
- allow_registration = false;
-
- --These are the SSL/TLS-related settings.
- --ssl = {
- -- key = "certs/localhost.key";
- -- certificate = "certs/localhost.cert";
- --}
-
- -- Require encryption on client/server connections?
- --c2s_require_encryption = false
- --s2s_require_encryption = false
-
- -- Logging configuration
- -- For advanced logging see http://prosody.im/doc/logging
- log = "prosody.log";
- debug = false; -- Log debug messages?
+ -- This is a (by default, empty) list of accounts that are admins for the
+ -- server. Note that you must create the accounts separately (see
+ -- http://prosody.im/doc/creating_accounts)
+ -- Example: admins = { "user1@example.com", "user2@example.net" }
+ admins = { }
+
+ -- Enable use of libevent for better performance under high load
+ -- For more information see: http://prosody.im/doc/libevent
+ --use_libevent = true;
+
+ -- This is the list of modules Prosody will load on startup. It looks for
+ -- mod_modulename.lua in the plugins folder, so make sure that exists too.
+ -- Documentation on modules can be found at: http://prosody.im/doc/modules
+ modules_enabled = {
+ -- Generally required
+ "roster"; -- Allow users to have a roster. Recommended ;)
+ "saslauth"; -- Authentication for clients and servers. Recommended if
+ -- you want to log in.
+ "dialback"; -- s2s dialback support
+ "disco"; -- Service discovery
+ "posix"; -- POSIX functionality, daemonizes, enables syslog, etc.
+
+ -- Not essential, but recommended
+ "private"; -- Private XML storage (for room bookmarks, etc.)
+ "vcard"; -- Allow users to set vCards
+ "tls"; -- Support for secure TLS on c2s/s2s connections
+ --"privacy"; -- Support privacy lists
+ --"compression"; -- Stream compression for client-to-server streams
+
+ -- Nice to have
+ "legacyauth"; -- Legacy authentication. Only used by some old
+ -- clients and bots.
+ "version"; -- Replies to server version requests
+ "uptime"; -- Report how long server has been running
+ "time"; -- Let others know the time here on this server
+ "ping"; -- Replies to XMPP pings with pongs
+ "pep"; -- Enables users to publish their mood, activity, playing
+ -- music and more
+ "register"; -- Allow users to register on this server using a client
+ -- and change passwords
+
+ -- Other specific functionality
+ --"console"; -- telnet to port 5582
+ -- (needs console_enabled = true)
+ --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+ --"httpserver"; -- Serve static files from a directory over
+ -- HTTP
+ --"groups"; -- Shared roster support
+ --"announce"; -- Send announcement to all online users
+ --"welcome"; -- Welcome users who register accounts
+ --"watchregistrations"; -- Alert admins of registrations
+ }
+
+ -- These modules are auto-loaded, should you for (for some mad
+ -- reason) want to disable them then uncomment them below.
+ modules_disabled = {
+ --"presence";
+ --"message";
+ --"iq";
+ }
+
+ -- Disable account creation by default, for security
+ -- For more information see http://prosody.im/doc/creating_accounts
+ allow_registration = false;
+
+ --These are the SSL/TLS-related settings.
+ --ssl = {
+ -- key = "certs/localhost.key";
+ -- certificate = "certs/localhost.cert";
+ --}
+
+ -- Require encryption on client/server connections?
+ --c2s_require_encryption = false
+ --s2s_require_encryption = false
+
+ -- Logging configuration
+ -- For advanced logging see http://prosody.im/doc/logging
+ log = "prosody.log";
+ debug = false; -- Log debug messages?
-- This allows clients to connect to localhost. No harm in it.
Host "localhost"
@@ -120,16 +120,16 @@ Host "localhost"
-- Section for example.com
-- (replace example.com with your domain name)
Host "example.com"
- enabled = false -- This will disable the host, preserving the config, but
- -- denying connections (remove to enable!)
-
- -- Assign this host a certificate for TLS, otherwise it would use the one
- -- set in the global section (if any). Note that old-style SSL on port 5223
- -- only supports one certificate, and will always use the global one.
- --ssl = {
- -- key = "certs/example.com.key";
- -- certificate = "certs/example.com.crt";
- --}
+ enabled = false -- This will disable the host, preserving the config, but
+ -- denying connections (remove to enable!)
+
+ -- Assign this host a certificate for TLS, otherwise it would use the one
+ -- set in the global section (if any). Note that old-style SSL on port 5223
+ -- only supports one certificate, and will always use the global one.
+ --ssl = {
+ -- key = "certs/example.com.key";
+ -- certificate = "certs/example.com.crt";
+ --}
-- Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"
diff --git a/util/sasl/digest-md5.lua b/util/sasl/digest-md5.lua
index 5b8f5c8a..04acf04d 100644
--- a/util/sasl/digest-md5.lua
+++ b/util/sasl/digest-md5.lua
@@ -35,8 +35,6 @@ local function digest(self, message)
local function serialize(message)
local data = ""
- if type(message) ~= "table" then error("serialize needs an argument of type table.") end
-
-- testing all possible values
if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end
if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end