#1070 internal SASL auth fails without even doing a challenge
Reporter
Plüss Roland
Owner
Zash
Created
Updated
Stars
★ (1)
Tags
Priority-Medium
Type-Defect
Status-Invalid
Plüss Roland
on
What steps will reproduce the problem?
1. Install a fresh prosody with out-of-the-box setting
2. Add a test user
3. Try to login with XMMP too (tested with Telepathy, Pidgin, other tools)
What is the expected output?
User is logged in
What do you see instead?
Login fails and log contains lines like this:
> c2s4161bfc8 debug Client sent opening <stream:stream> to xxx
> c2s4161bfc8 debug Sent reply <stream:stream> to client
> c2s4161bfc8 info Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
> c2s4161bfc8 debug Not offering disabled mechanism DIGEST-MD5
> c2s4161bfc8 debug Received[c2s_unauthed]: <auth http://www.google.com/talk/protocol/auth^Aclient-uses-full-bind-result='true' mechanism='SCRAM-SHA-1' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
> xxx:auth_internal_plain debug get_password for username 'xxx'
> xxx:saslauth debug sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure>
> socket debug server.lua: client xxx:60686 read error: closed
> c2s4161bfc8 info Client disconnected: closed
What version of the product are you using? On what operating system?
Prosody 10, GenToo 64bit, PostgreSQL (prosody has a DB there and uses this for authing)
Please provide any additional information below.
Out-of-the-box configuration with only necessary changes to have PostgreSQL backend and using let's-encrypt certificate.
Zash
on
Your log snippet does not contain anything relating to SQL, suggesting that it is not configured correctly.
My guess is that it's using internal storage and the account does not exist there, which would explain the 'not-authorized' error.
Please double check your configuration and that you have restarted Prosody.
Changes
owner Zash
tags Status-NeedInfo
Plüss Roland
on
SQL is PostgreSQL. DB is working correctly. DB auth worked before update without a problem. User is present in DB. I've made sure to do the test with the account name and password listed in the DB. It's definitely a problem in Prosody and not the configuration. I turned debug to max in Prosody so I don't know what other information I could dig out
(by the way. why did I not get notified about your comment to this ticket? I nearly missed it)
Zash
on
Please post storage and auth configuration as well
Plüss Roland
on
Here are the relevant parts of the config file:
>>>>>
sql = {
driver = "PostgreSQL";
database = "prosody";
username = "xxx";
password = "xxx";
host = "localhost";
}
c2s_require_encryption = true
-- disable_sasl_mechanisms = { "DIGEST-MD5" }
authentication = "internal_plain"
certificates = "certs"
<<<<<
Let me know if you need more info
Zash
on
What is the 'storage' option set to?
Plüss Roland
on
I don't have such an option. Is it new?
Zash
on
I think it was added in 0.8, an example of it should be in the defauilt config file. If you don't have it set then you are not using SQL at all, but the defauilt internal (file based) storage. This explains the logs. What you are seeing is simply that the account does not exist in the file based storage backend, or possibly that the password is wrong.
See https://prosody.im/doc/storage for more information.
Were you perhaps using authentication = "sql" before? What SQL schema do you have?
Changes
tags Status-Invalid
Plüss Roland
on
I had been using SQL before and it worked. I did add that option now and now it works again. It's a bit confusing you suddenly need this option where before you just configured the storage driver with "sql" or "internal" to get it working properly.
Zash
on
It should not be possible to have used "sql" authentication before, the module needed is not even included with Prosody. It would probably have been better if you had taken this to one of our support/discussion channels instead of the issue tracker.
What steps will reproduce the problem? 1. Install a fresh prosody with out-of-the-box setting 2. Add a test user 3. Try to login with XMMP too (tested with Telepathy, Pidgin, other tools) What is the expected output? User is logged in What do you see instead? Login fails and log contains lines like this: > c2s4161bfc8 debug Client sent opening <stream:stream> to xxx > c2s4161bfc8 debug Sent reply <stream:stream> to client > c2s4161bfc8 info Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384) > c2s4161bfc8 debug Not offering disabled mechanism DIGEST-MD5 > c2s4161bfc8 debug Received[c2s_unauthed]: <auth http://www.google.com/talk/protocol/auth^Aclient-uses-full-bind-result='true' mechanism='SCRAM-SHA-1' xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> > xxx:auth_internal_plain debug get_password for username 'xxx' > xxx:saslauth debug sasl reply: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure> > socket debug server.lua: client xxx:60686 read error: closed > c2s4161bfc8 info Client disconnected: closed What version of the product are you using? On what operating system? Prosody 10, GenToo 64bit, PostgreSQL (prosody has a DB there and uses this for authing) Please provide any additional information below. Out-of-the-box configuration with only necessary changes to have PostgreSQL backend and using let's-encrypt certificate.
Your log snippet does not contain anything relating to SQL, suggesting that it is not configured correctly. My guess is that it's using internal storage and the account does not exist there, which would explain the 'not-authorized' error. Please double check your configuration and that you have restarted Prosody.
ChangesSQL is PostgreSQL. DB is working correctly. DB auth worked before update without a problem. User is present in DB. I've made sure to do the test with the account name and password listed in the DB. It's definitely a problem in Prosody and not the configuration. I turned debug to max in Prosody so I don't know what other information I could dig out (by the way. why did I not get notified about your comment to this ticket? I nearly missed it)
Please post storage and auth configuration as well
Here are the relevant parts of the config file: >>>>> sql = { driver = "PostgreSQL"; database = "prosody"; username = "xxx"; password = "xxx"; host = "localhost"; } c2s_require_encryption = true -- disable_sasl_mechanisms = { "DIGEST-MD5" } authentication = "internal_plain" certificates = "certs" <<<<< Let me know if you need more info
What is the 'storage' option set to?
I don't have such an option. Is it new?
I think it was added in 0.8, an example of it should be in the defauilt config file. If you don't have it set then you are not using SQL at all, but the defauilt internal (file based) storage. This explains the logs. What you are seeing is simply that the account does not exist in the file based storage backend, or possibly that the password is wrong. See https://prosody.im/doc/storage for more information. Were you perhaps using authentication = "sql" before? What SQL schema do you have?
ChangesI had been using SQL before and it worked. I did add that option now and now it works again. It's a bit confusing you suddenly need this option where before you just configured the storage driver with "sql" or "internal" to get it working properly.
It should not be possible to have used "sql" authentication before, the module needed is not even included with Prosody. It would probably have been better if you had taken this to one of our support/discussion channels instead of the issue tracker.