我目前正在玩MongooseIM一點點,並希望與scram一起使用HTTP認證。我使用Python passlib創建急停散列:MongooseIM/ejabberd:http認證使用scram
import sys
from passlib.hash import scram
def main():
hash = scram.encrypt(sys.argv[1], rounds=4096, salt_size=16)
print hash
if __name__ == "__main__":
main()
然後我結束了這樣的事情:
$scram$4096$BmAsRcgZA4AwRijl3FtLyQ$sha-1=AXh5FzYzEnf6PaVQNR79AZhkwz8,sha-256=YZceXCVhfCBrr8sM9k3eS.5bztHugerGzjO97emvn20,sha-512=2NyVspiE7MP6xBAEycAV5Z/nIbBlki3sHfWvVUPPnEkMt5b4VbZfDZ0s8lvE/ns0scPGWmfKhUobmZbjfFH6RA
不幸的是這種格式不MongooseIM的HTTP認證所接受。我看了一下代碼,並試圖找出急停的serialzed形式如何散列密碼,看起來像在這裏:https://github.com/esl/MongooseIM/blob/master/apps/ejabberd/src/scram.erl
deserialize(<<?SCRAM_SERIAL_PREFIX, Serialized/binary>>) ->
case catch binary:split(Serialized, <<",">>, [global]) of
[StoredKey, ServerKey,Salt,IterationCount] ->
{ok, #scram{storedkey = StoredKey,
serverkey = ServerKey,
salt = Salt,
iterationcount = binary_to_integer(IterationCount)}};
_ ->
?WARNING_MSG("Incorrect serialized SCRAM: ~p, ~p", [Serialized]),
{error, incorrect_scram}
end;
從passlib我得到鹽,迭代次數和實際摘要(SHA-1 ,sha-256,sha-512),據我所知,但是從Erlang代碼的StoredKey和ServerKey呢?如何通過host/get_password返回正確的序列化HTTP主體?
由於提前, 馬格努斯
謝謝,但究竟什麼是StoredKey和ServerKey?如何使用我自己的認證服務從MongooseIM服務器中分離出相應的生成密碼哈希? – Magnus
您可以檢查[password_to_scram](https://github.com/esl/MongooseIM/blob/master/apps/ejabberd/src/scram.erl#L139-L147)。基本上這個SCRAM認證方法是這裏描述的SCRAM-SHA-1機制的實現[RFC 5802](https://tools.ietf.org/html/rfc5802) – michalwski
我只注意到你已經知道了。幹得好! – michalwski