[Pidgin] #11320: Pidgin incorrectly requests plaintext auth over an unencrypted connection for XMPP if an unknown mechanism is seen by cyrus-sasl

Pidgin trac at pidgin.im
Tue Feb 9 13:40:01 EST 2010 

#11320: Pidgin incorrectly requests plaintext auth over an unencrypted connection
for XMPP if an unknown mechanism is seen by cyrus-sasl
--------------------------+-------------------------------------------------
 Reporter:  dreiss        |     Owner:  rekkanoryo
     Type:  enhancement   |    Status:  new       
Component:  unclassified  |   Version:  2.6.4     
 Keywords:                |  
--------------------------+-------------------------------------------------
 Steps to reproduce:

   - Build Pidgin with cyrus-sasl.
   - Find a server that only supports SASL auth (not XEP-0078), does not
 support TLS, and only supports two authentication mechanisms: DIGEST-MD5
 and a second that cyrus-sasl doesn't know about.  I'm attaching a stub
 version of such a server as a Python script.  Just run it from the command
 line and it will bind to port 5222.
   - Create a new XMPP account pointing to localhost.  Uncheck "require
 SSL", but do not allow plaintext auth over an unencrypted connection.
 Enter an incorrect password (all passwords are incorrect for my demo
 server).
   - Connect to the server.

 Expected behavior:
   - Pidgin realizes that DIGEST-MD5 failed and the other mechanism has no
 chance of succeeding, so it informs the user that authentication failed.

 Observed behavior:
   - Pidgin displays a dialog that asks "[JID] requires plaintext
 authentication over an unencrypted connection.  Allow this and continue
 authentication?"

 I tracked this down to jabber_auth_start_cyrus.  It seems like libpurple's
 strategy on an authentication failure is to request the right to send the
 plaintext password, then try again.  I wasn't able to find any really good
 documentation on cyrus-sasl, do I don't know if it is possible to do
 something better.  Ideally, it would be possible to effectively ask cyrus-
 sasl "I'm not saying you can use a plaintext password yet, but if you
 could, would there be any other mechanisms you could use?"

-- 
Ticket URL: <http://developer.pidgin.im/ticket/11320>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list