Project

General

Profile

Feature #11307

Make sure that anonymous XMPP logins work in Tails

Added by sycamoreone over 3 years ago. Updated about 1 year ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
04/03/2016
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:
Instant Messaging

Description

Before trying to find/organize a XMPP server that supports anonymous logins, we should make sure that these actually work in the XMPP client shipped in Tails.

It does not work in Pidgin (#11307#note-5) so this is blocked by #8573.


Related issues

Related to Tails - Bug #8573: Hopefully replace Pidgin some day In Progress 01/07/2015
Duplicated by Tails - Bug #11701: Research the setup of the torproject's xmpp support Resolved 08/23/2016
Blocks Tails - Feature #11317: Pass a call to host an XMPP server for Tails support Confirmed 04/04/2016

Associated revisions

Revision 9d9f536a (diff)
Added by anonym about 2 years ago

Replace Pidgin blueprint: Tor Messenger supports "temporary XMPP accounts".

Refs: #8577, #11307

History

#1 Updated by intrigeri over 3 years ago

  • Status changed from New to Confirmed

#2 Updated by intrigeri over 3 years ago

  • Subject changed from Make sure that anonymous logins work in Pidgin/Tails to Make sure that anonymous XMPP logins work in Pidgin/Tails
  • Affected tool set to Instant Messaging

#3 Updated by sycamoreone over 3 years ago

The good news: libpurple (at least in Debian) uses the Cyrus SASL library, which supports SASL ANONYMOUS.

The not so good news: I can't find a mention of anonymous logins or SASL ANONYMOUS in the Pidgin documentation and so far I haven't found a public XMPP server that supports anonymous authentication for testing.. Next steps are to (1) look into the source tree, (2) ask Pidgin/XMPP people, and if necessary (3) set up a local Prosody server to try how Pidgin behaves.

#4 Updated by sycamoreone over 3 years ago

Setting up Prosody with SASL ANONYMOUS is in fact really easy, but this is what I get from Pidgin when I try to configure an account using the usual assistant:

(07:50:43) proxy: Connected to 127.0.0.1:5222.
(07:50:43) jabber: Sending (a@localhost): <?xml version='1.0' ?>
(07:50:43) jabber: Sending (a@localhost): &lt;stream:stream to='localhost' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'&gt;
(07:50:43) jabber: Recv (326): <?xml version='1.0'?>&lt;stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='bc71c093-7e8b-4efa-9bd6-67ee1ed4c105' from='localhost' version='1.0' xml:lang='en'&gt;&lt;stream:features&gt;&lt;mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'&gt;&lt;mechanism&gt;ANONYMOUS&lt;/mechanism&gt;&lt;/mechanisms&gt;&lt;/stream:features&gt;
(07:50:43) sasl: Mechs found: ANONYMOUS
(07:50:43) sasl: No worthy mechs found
(07:50:43) connection: Connection error on 0x7fbcfec9b270 (reason: 3 description: Server does not use any supported authentication method)
(07:50:43) account: Disconnecting account a@localhost/ (0x7fbcfe1abb10)

#5 Updated by sycamoreone over 3 years ago

In libpurple/protocols/jabber/auth_cyrus.c:211 one finds

static JabberSaslState
jabber_auth_start_cyrus(JabberStream *js, PurpleXmlNode **reply, char **error)
{
    [...]
    sasl_security_properties_t secprops;
    gboolean again;
    gboolean plaintext = TRUE;

    /* Set up security properties and options */
    secprops.min_ssf = 0;
    secprops.security_flags = SASL_SEC_NOANONYMOUS;

    [...]

SASL_SEC_NOANONYMOUS is documented to mean " don't permit mechanisms that allow anonymous login".

tl;dr SASL ANONYMOUS won't work with Pidgin. Anonymous accounts with a standard password are still an option, but I don't know yet, how this can be configured in standard XMPP servers.

#6 Updated by sycamoreone over 3 years ago

  • Status changed from Confirmed to In Progress

#7 Updated by sycamoreone over 3 years ago

  • Blocks Feature #11317: Pass a call to host an XMPP server for Tails support added

#8 Updated by sajolida over 3 years ago

Moving #11306#note-4 here. Tor uses anonymous logins on XMPP for live and one-time user support sessions. We could ask them for tricks or if we can use it for testing
maybe. Lunar set it up I think.

#9 Updated by BitingBird over 3 years ago

  • Parent task deleted (#7874)

Removing parent

#10 Updated by sycamoreone about 3 years ago

sajolida wrote:

Tor uses anonymous logins on XMPP for live and one-time user support sessions. We could ask them for tricks or if we can use it for testing maybe. Lunar set it up I think.

I asked Lunar about their setup. It is documented here in the Tor Project's Trac.

The setup is based on Prosody and also features a webchat.

#11 Updated by sycamoreone about 3 years ago

  • Related to Bug #11701: Research the setup of the torproject's xmpp support added

#12 Updated by sycamoreone about 3 years ago

  • Related to deleted (Bug #11701: Research the setup of the torproject's xmpp support)

#13 Updated by sycamoreone about 3 years ago

  • Duplicated by Bug #11701: Research the setup of the torproject's xmpp support added

#14 Updated by anonym about 2 years ago

FWIW, Tor Messenger 0.5.0b1 (released today) supports "temporary XMPP accounts" (via jabber.otr.im) which I guess is what this ticket is about.

#15 Updated by anonym about 2 years ago

anonym wrote:

FWIW, Tor Messenger 0.5.0b1 (released today) supports "temporary XMPP accounts" (via jabber.otr.im) which I guess is what this ticket is about.

Actually I think it's something different, just in-band registration with random nick/password. But I believe it solves the same problem as SASL ANONYMOUS would for us.

#16 Updated by intrigeri over 1 year ago

  • Subject changed from Make sure that anonymous XMPP logins work in Pidgin/Tails to Make sure that anonymous XMPP logins work in Tails
  • Description updated (diff)

#17 Updated by intrigeri over 1 year ago

  • Related to Bug #8573: Hopefully replace Pidgin some day added

#18 Updated by u about 1 year ago

  • Status changed from In Progress to Confirmed
  • Assignee deleted (sycamoreone)

Also available in: Atom PDF