#1586 mod_auth_dovecot sends wrong auth id to dovecot over TCP with Jitsi
Reporter
kulve
Owner
Nobody
Created
Updated
Stars
★ (1)
Tags
Component-Community
Status-New
Type-Defect
Priority-Medium
kulve
on
What steps will reproduce the problem?
1. Enable mod_auth_dovecot for Prosody for Jitsi Meet.
2. Use TCP connection by setting dovecot_auth_host and dovecot_auth_port
3. Add extra debug prints to sasl_dovecot.lib.lua to see what's actually sent.
What is the expected output?
Dovecot expects the "resp=" to be in the form of "\0account\0password"
What do you see instead?
mod_auth_dovecot sends "account@domain\0account\0password"
What version of the product are you using? On what operating system?
Debian Buster
prosody-modules 0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1
prosody 0.11.2-1
Please provide any additional information below.
Is there perhaps already a configuration option to avoid sending that "account@domain" part?
Zash
on
mod_auth_dovecot simply passes on what the client sends. Please try to report this as a bug against the client (Jitsi).
The first part before the first \0, the authorization identity, is not normally used in XMPP and Prosodys own SASL code ignores it, but most clients leave it empty.
In the default mode, mod_auth_dovecot will forward the clients SASL messages to dovecot unaltered. Adding code to strip the authzid could be done, but it would be better to not need to. It would probably be easy to do, there's already similar code (the append host option). Feel free to try and submit a patch .)
PS: Earlier I thought this looked like what you get if you enable the append host option, but that was a case of not enough coffee. DS;
What steps will reproduce the problem? 1. Enable mod_auth_dovecot for Prosody for Jitsi Meet. 2. Use TCP connection by setting dovecot_auth_host and dovecot_auth_port 3. Add extra debug prints to sasl_dovecot.lib.lua to see what's actually sent. What is the expected output? Dovecot expects the "resp=" to be in the form of "\0account\0password" What do you see instead? mod_auth_dovecot sends "account@domain\0account\0password" What version of the product are you using? On what operating system? Debian Buster prosody-modules 0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1 prosody 0.11.2-1 Please provide any additional information below. Is there perhaps already a configuration option to avoid sending that "account@domain" part?
mod_auth_dovecot simply passes on what the client sends. Please try to report this as a bug against the client (Jitsi). The first part before the first \0, the authorization identity, is not normally used in XMPP and Prosodys own SASL code ignores it, but most clients leave it empty. In the default mode, mod_auth_dovecot will forward the clients SASL messages to dovecot unaltered. Adding code to strip the authzid could be done, but it would be better to not need to. It would probably be easy to do, there's already similar code (the append host option). Feel free to try and submit a patch .) PS: Earlier I thought this looked like what you get if you enable the append host option, but that was a case of not enough coffee. DS;
Changes