我目前正在玩MongooseIM一点点,并希望与scram一起使用HTTP认证。我使用Python passlib创建急停散列:MongooseIM/ejabberd:http认证使用scram
import sys
from passlib.hash import scram
def main():
hash = scram.encrypt(sys.argv[1], rounds=4096, salt_size=16)
print hash
if __name__ == "__main__":
main()
然后我结束了这样的事情:
$scram$4096$BmAsRcgZA4AwRijl3FtLyQ$sha-1=AXh5FzYzEnf6PaVQNR79AZhkwz8,sha-256=YZceXCVhfCBrr8sM9k3eS.5bztHugerGzjO97emvn20,sha-512=2NyVspiE7MP6xBAEycAV5Z/nIbBlki3sHfWvVUPPnEkMt5b4VbZfDZ0s8lvE/ns0scPGWmfKhUobmZbjfFH6RA
不幸的是这种格式不MongooseIM的HTTP认证所接受。我看了一下代码,并试图找出急停的serialzed形式如何散列密码,看起来像在这里:https://github.com/esl/MongooseIM/blob/master/apps/ejabberd/src/scram.erl
deserialize(<<?SCRAM_SERIAL_PREFIX, Serialized/binary>>) ->
case catch binary:split(Serialized, <<",">>, [global]) of
[StoredKey, ServerKey,Salt,IterationCount] ->
{ok, #scram{storedkey = StoredKey,
serverkey = ServerKey,
salt = Salt,
iterationcount = binary_to_integer(IterationCount)}};
_ ->
?WARNING_MSG("Incorrect serialized SCRAM: ~p, ~p", [Serialized]),
{error, incorrect_scram}
end;
从passlib我得到盐,迭代次数和实际摘要(SHA-1 ,sha-256,sha-512),据我所知,但是从Erlang代码的StoredKey和ServerKey呢?如何通过host/get_password返回正确的序列化HTTP主体?
由于提前, 马格努斯
谢谢,但究竟什么是StoredKey和ServerKey?如何使用我自己的认证服务从MongooseIM服务器中分离出相应的生成密码哈希? – Magnus
您可以检查[password_to_scram](https://github.com/esl/MongooseIM/blob/master/apps/ejabberd/src/scram.erl#L139-L147)。基本上这个SCRAM认证方法是这里描述的SCRAM-SHA-1机制的实现[RFC 5802](https://tools.ietf.org/html/rfc5802) – michalwski
我只注意到你已经知道了。干得好! – michalwski