jdev - 2019-12-07


  1. paul has left

  2. Daniel has left

  3. bhaveshsgupta has left

  4. bhaveshsgupta has joined

  5. Daniel has joined

  6. kikuchiyo has joined

  7. larma has left

  8. moparisthebest has left

  9. moparisthebest has joined

  10. larma has joined

  11. Daniel has left

  12. bhaveshsgupta has left

  13. bhaveshsgupta has joined

  14. Daniel has joined

  15. bhaveshsgupta has left

  16. bhaveshsgupta has joined

  17. Daniel has left

  18. bhaveshsgupta has left

  19. Zash has left

  20. Zash has joined

  21. bhaveshsgupta has joined

  22. bhaveshsgupta has left

  23. Daniel has joined

  24. Daniel has left

  25. bhaveshsgupta has joined

  26. asterix has left

  27. asterix has joined

  28. asterix has left

  29. Daniel has joined

  30. kikuchiyo has left

  31. kikuchiyo has joined

  32. Daniel has left

  33. Daniel has joined

  34. Daniel has left

  35. Daniel has joined

  36. kikuchiyo has left

  37. kikuchiyo has joined

  38. kikuchiyo has left

  39. bhaveshsgupta has left

  40. bhaveshsgupta has joined

  41. Daniel has left

  42. Daniel has joined

  43. bhaveshsgupta has left

  44. Daniel has left

  45. bhaveshsgupta has joined

  46. kikuchiyo has joined

  47. kikuchiyo has left

  48. bhaveshsgupta has left

  49. kikuchiyo has joined

  50. bhaveshsgupta has joined

  51. kikuchiyo has left

  52. bhaveshsgupta has left

  53. bhaveshsgupta has joined

  54. kikuchiyo has joined

  55. Daniel has joined

  56. paul has joined

  57. kikuchiyo has left

  58. Daniel has left

  59. Daniel has joined

  60. kikuchiyo has joined

  61. Daniel has left

  62. goffi has joined

  63. kikuchiyo has left

  64. kikuchiyo has joined

  65. Daniel has joined

  66. kikuchiyo has left

  67. lovetox has joined

  68. asterix has joined

  69. asterix has left

  70. asterix has joined

  71. bhaveshsgupta has left

  72. kikuchiyo has joined

  73. bhaveshsgupta has joined

  74. kikuchiyo has left

  75. asterix has left

  76. asterix has joined

  77. kikuchiyo has joined

  78. kikuchiyo has left

  79. bhaveshsgupta has left

  80. bhaveshsgupta has joined

  81. asterix has left

  82. asterix has joined

  83. asterix has left

  84. asterix has joined

  85. wurstsalat has joined

  86. kikuchiyo has joined

  87. asterix has left

  88. asterix has joined

  89. ralphm has left

  90. ralphm has joined

  91. debacle has joined

  92. DebXWoody has left

  93. DebXWoody has joined

  94. asterix has left

  95. asterix has joined

  96. debacle has left

  97. asterix has left

  98. asterix has joined

  99. asterix has left

  100. asterix has joined

  101. kikuchiyo has left

  102. kikuchiyo has joined

  103. bhaveshsgupta has left

  104. pulkomandy has left

  105. pulkomandy has joined

  106. bhaveshsgupta has joined

  107. asterix has left

  108. asterix has joined

  109. asterix has left

  110. asterix has joined

  111. bhaveshsgupta has left

  112. bhaveshsgupta has joined

  113. pulkomandy has left

  114. pulkomandy has joined

  115. asterix has left

  116. pulkomandy has left

  117. asterix has joined

  118. ralphm has left

  119. pulkomandy has joined

  120. kikuchiyo has left

  121. asterix has left

  122. asterix has joined

  123. bhaveshsgupta has left

  124. bhaveshsgupta has joined

  125. kikuchiyo has joined

  126. bhaveshsgupta has left

  127. bhaveshsgupta has joined

  128. goffi has left

  129. debacle has joined

  130. asterix has left

  131. asterix has joined

  132. pulkomandy has left

  133. pulkomandy has joined

  134. lovetox

    hm can you "login" to an existing anonymous account?

  135. lovetox

    Gajim has the anonymous checkbox, in its login dialog and on the create new account dialog

  136. lovetox

    so im not sure for what that is

  137. lovetox

    i always thought anonymous is when i ask the server to give me some throw away jid

  138. lovetox

    and the jid is gone after i end the session

  139. pep.

    "lovetox> hm can you "login" to an existing anonymous account?" < that's a server impl. detail no?

  140. pep.

    I don't think a client can request it

  141. Zash

    How would you login to an existing account without any credentials?

  142. lovetox

    yeah makes not much sense

  143. lovetox

    there is no username specified anywhere in the flow

  144. lovetox

    so even if i wanted i couldnt tell the server a preferred jid

  145. Zash

    You can pass something as data tho, but that's probably ignored

  146. strar has left

  147. lovetox

    no fixed jid is a bit of a problem client impl wise

  148. lovetox

    this means i cant add a account in a traditional way, as the jid was my account identifier

  149. Zash

    But that's sorta the case for normal accounts too. The username you enter in SASL doesn't have to be your JID localpart.

  150. lovetox

    yeah what else can it be?

  151. lovetox

    and where should i as client get that value

  152. Zash

    Anything

  153. Zash

    You get your JID in resource binding

  154. lovetox

    yeah but looking at IBR

  155. lovetox

    there is no way the server can communicate a username that is not the localpart of the jid

  156. lovetox

    it cant say, hey you registerd a@a.at, but your username is lovetox

  157. lovetox

    but i hear you, its not a must in theory that sasl username == jid

  158. lovetox

    but i hear you, its not a must in theory that sasl username == localpart

  159. Zash

    https://xmpp.org/rfcs/rfc6120.html#sasl-rules-username

  160. Zash

    username == localpart is recommended and the most common I imagine, outside some rare special deployments

  161. Zash

    Hm, there are some authentication backends for Prosody that use the database of some web forum software, which allows usernames that aren't valid JID nodeparts, so there's some mangling going on there.

  162. strar has joined

  163. lovetox

    funny IBR does not even return the jid registered

  164. kikuchiyo has left

  165. lovetox

    so the server could register another localpart and tell me while binding

  166. Zash

    And the email ecosystem often use the entire email address as username, which makes it a massive pain to use

  167. Zash

    Does IBR2 fix that?

  168. Zash

    Hm, https://xmpp.org/extensions/xep-0389.html looks kinda unspecified in that area

  169. Daniel has left

  170. lovetox

    this also fails at almost any xmpp client

  171. lovetox

    almost any client specifices a jid and pass field

  172. Zash

    Sure

  173. lovetox

    obviously the client can never guess the username from the jid if its not the localpart

  174. Zash

    True

  175. Daniel has joined

  176. lovetox

    so it would need to be a username field

  177. pulkomandy has left

  178. lovetox

    and a second field specifing the server

  179. lovetox

    in a walled garden the second field would not be needed

  180. lovetox

    funny that gajim has exactly that UI right now

  181. lovetox

    which most people feel is a pain

  182. Zash

    Can you type user@host as username?

  183. lovetox

    no, because Gajim puts both username and server together afterwards and it would yield an invalid jid

  184. Zash

    It's probably okay to not support username ≠ localpart deployments, or hide away the connection details for that in some advanced settings section

  185. Zash

    Gajim Enterprise Edition? 😀

  186. lovetox

    what really hurts is that the jid is our main key for everything account related

  187. kikuchiyo has joined

  188. lovetox

    and with anonymous this changes on every connect

  189. lovetox

    maybe i just make the domain the key for anon accs

  190. lovetox

    and just allow one anon acc per domain in Gajim

  191. bhaveshsgupta has left

  192. pulkomandy has joined

  193. bhaveshsgupta has joined

  194. bhaveshsgupta has left

  195. bhaveshsgupta has joined

  196. debacle has left

  197. asterix has left

  198. asterix has joined

  199. Daniel has left

  200. pulkomandy has left

  201. Daniel has joined

  202. asterix has left

  203. asterix has joined

  204. asterix has left

  205. asterix has joined

  206. pulkomandy has joined

  207. asterix has left

  208. asterix has joined

  209. asterix has left

  210. asterix has joined

  211. bhaveshsgupta has left

  212. kikuchiyo has left

  213. bhaveshsgupta has joined

  214. sonny has joined

  215. asterix has left

  216. asterix has joined

  217. asterix has left

  218. asterix has joined

  219. pulkomandy has left

  220. pulkomandy has joined

  221. asterix has left

  222. asterix has joined

  223. kikuchiyo has joined

  224. sonny has left

  225. bhaveshsgupta has left

  226. pulkomandy has left

  227. asterix has left

  228. asterix has joined

  229. pulkomandy has joined

  230. kikuchiyo has left

  231. lovetox

    we dont have any XEP for password resets or?

  232. kikuchiyo has joined

  233. lovetox

    we should really get IBR2 going

  234. rion has left

  235. Zash

    Everything2 😀

  236. pep.

    0389?

  237. pep.

    Or a new one?

  238. Zash

    XMPP2

  239. asterix has left

  240. asterix has joined

  241. asterix has left

  242. asterix has joined

  243. lovetox

    yes 0389

  244. lovetox

    though actually 0389 is missing the mutli stage functionality

  245. Zash

    lovetox, can I interest you in poking Sam or possibly taking over as author? 🙂

  246. lovetox

    ah i see its a little sentence at the end

  247. lovetox

    the server MAY send another challenge.

  248. Zash

    > If the client successfully completes the challenge, the server MAY return an empty <success/> element qualified by the 'urn:xmpp:register:0' namespace, MAY? What else would it do?

  249. lovetox

    yeah it seems a bit weird, it seems like this is a XEP that is reused by other XEPs

  250. Zash

    SASL2, IBR2 and .. BIND2?

  251. lovetox

    and it lacks examples

  252. lovetox

    and Zash now i know why IBR uses IQ before bind

  253. lovetox

    because all libs support callbacks on IQ responses, which you dont have with nonzas

  254. Zash

    Hack 🙁

  255. lovetox

    so implementing the whole process with nonzas is a bit harder

  256. Zash

    But they need to for SASL

  257. lovetox

    at least it would be nice to have ids on these nonzas

  258. lovetox

    so we can add callbacks for these in the future

  259. Zash

    I don't see the point. Pre-resource binding shouldn't have more than one thing anyways.

  260. Zash

    There should be no async or out of order events.

  261. asterix has left

  262. asterix has joined

  263. rion has joined

  264. Zash

    The point of id attrs are that you can send many requests and the answers can come back in any order.

  265. lovetox

    hm true

  266. lovetox

    but the same thing must work in a after-bind situation also

  267. lovetox

    hm or does it

  268. lovetox

    ah yes, for the change-password flow

  269. lovetox

    though this is maybe excluded here

  270. lovetox

    and should rightfully excluded out of IBR

  271. lovetox

    as it mixes, pre-bind and after-bind use cases

  272. Zash

    agree

  273. Zash

    Hm

  274. lovetox

    change password should be just a adhoc flow

  275. lovetox

    there is no need to invent something new here

  276. lovetox

    adhoc has everything you would ever need for a change password flow

  277. Zash

    You might need some way to signal that a password change is mandatory tho

  278. lovetox

    adds too much complexity in my opinion

  279. Zash

    Like, right after password recovery

  280. lovetox

    just send a email out to your users

  281. lovetox

    or a xmpp message with a weblink

  282. lovetox

    but if you would do this

  283. lovetox

    this would also be a pre-bind deal for me

  284. lovetox

    right after auth

  285. lovetox

    present a must change password flow

  286. Zash was just looking for that in https://xmpp.org/extensions/xep-0388.html

  287. pulkomandy has left

  288. lovetox

    yeah its under 2.6.3

  289. lovetox

    so yes SASL2 would support that

  290. Zash

    Hm

  291. lovetox

    ok so we have multistage pre-bind ibr with ibr2

  292. Zash

    If password change can be either required or optional, then an user-initiated password change could be done by logging out and logging in+changing password

  293. lovetox

    we have pre-bind password changes with sasl2

  294. lovetox

    leaves a simple xep that has after-bind password changes via adhoc

  295. Zash

    I wonder if that makes things easier for servers, as you rather want to kill/reset other sessions when the password is changed.

  296. asterix has left

  297. asterix has joined

  298. pulkomandy has joined

  299. lovetox

    problem is migration

  300. lovetox

    i was just thinking about 2FA

  301. lovetox

    but servers could offer both SASL as long as no 2FA is set

  302. lovetox

    and afterwards only SASL2

  303. Zash

    Sure

  304. lovetox

    ah no

  305. lovetox

    the server does not know the account before SASL :D

  306. lovetox

    so it cant just leave SASL2 out

  307. Zash

    Hm

  308. lovetox

    so you can always make a downgrade attack

  309. lovetox

    except for server who only support SASL2, which makes migration a pain

  310. Zash

    Hm, like the problem of upgrading stored hashes to SCRAM-SHA-256 or so

  311. Zash

    So you can't enable 2FA until everyone supports SASL2

  312. Zash

    or someting

  313. Zash

    I started on a SASL2 impl but I don't think it's complete

  314. Zash

    Would be good to have a client to test with tho

  315. kikuchiyo has left

  316. lovetox

    its not an attack i misspoke

  317. lovetox

    after enabling 2FA server has to fail the SASL1 flow obviously

  318. lovetox

    so no its not that big of a problem i guess

  319. lovetox

    users just have to be warnded if they activate 2FA they can only connect with clients that support 2FA

  320. lovetox

    obvious

  321. Zash

    But it affects everyone on the server

  322. Zash

    Or does it?

  323. lovetox

    no, 2FA can be set per account i guess

  324. lovetox

    could be a simple option in the register flow

  325. Zash

    So SASL1 would succeed for those

  326. lovetox

    yes

  327. Zash

    .. .that hasn't enabledit

  328. Zash

    I suppose you can make it so that the server doesn't let you enable 2FA from a client that used SASL1

  329. Alex has left

  330. Alex has joined

  331. Zash

    Then they can't lock themselves out as easily, and there's some incentive to upgrade

  332. lovetox

    how would you activate 2FA

  333. Zash

    Dunno

  334. lovetox

    only via IBR2

  335. lovetox

    so that must be a client that does support IBR2 but not sasl2

  336. lovetox

    in normal ibr there is no multistage

  337. lovetox

    which you need for any 2fa setup

  338. Zash

    Not being able to upgrade an existing account to 2FA seems like meh tho?

  339. lovetox

    yeah i guess there needs to be a own xep for that

  340. Zash

    You'd want to do that in connection to password change or something

  341. Zash

    XEPlosion!

  342. Zash

    😀

  343. lovetox

    2FA upgrade can be done again via adhoc

  344. lovetox

    no need to invent something there

  345. lovetox

    great

  346. lovetox

    SASL2 offer a stream feature of <mechanisms/>, qualified by the "urn:xmpp:sasl:1" namespace

  347. lovetox

    fits

  348. Zash

    heh

  349. Zash

    Well if you come up with a reason to bump the namespace, and then never again...

  350. Zash

    or it could be ...:sasl2:1

  351. pulkomandy has left

  352. pulkomandy has joined

  353. lovetox

    hm theoretically it should be easy to implement SASL2 in nbxmpp

  354. lovetox

    as SASL1 is already writte like a plugin

  355. sonny has joined

  356. kikuchiyo has joined

  357. pulkomandy has left

  358. pulkomandy has joined

  359. sonny has left

  360. Daniel has left

  361. Daniel has joined

  362. pulkomandy has left

  363. sonny has joined

  364. Daniel has left

  365. Daniel has joined

  366. pulkomandy has joined

  367. Daniel has left

  368. Daniel has joined

  369. pulkomandy has left

  370. pulkomandy has joined

  371. asterix has left

  372. asterix has joined

  373. kikuchiyo has left

  374. pulkomandy has left

  375. asterix has left

  376. asterix has joined

  377. pulkomandy has joined

  378. aj has joined

  379. sonny has left

  380. kikuchiyo has joined

  381. pulkomandy has left

  382. pulkomandy has joined

  383. pulkomandy has left

  384. pulkomandy has joined

  385. pulkomandy has left

  386. kikuchiyo has left

  387. debacle has joined

  388. kikuchiyo has joined

  389. kikuchiyo has left

  390. Ge0rG has left

  391. kikuchiyo has joined

  392. SouL has left

  393. ralphm has joined

  394. asterix has left

  395. asterix has joined

  396. asterix has left

  397. asterix has joined

  398. asterix has left

  399. asterix has joined

  400. asterix has left

  401. asterix has joined

  402. Alex has left

  403. Alex has joined

  404. asterix has left

  405. asterix has joined

  406. ralphm has left

  407. ralphm has joined

  408. paul has left

  409. pulkomandy has joined

  410. pulkomandy has left

  411. pulkomandy has joined

  412. asterix has left

  413. asterix has joined

  414. asterix has left

  415. pulkomandy has left

  416. pulkomandy has joined

  417. kikuchiyo has left

  418. kikuchiyo has joined

  419. strar has left

  420. strar has joined