Tails

#3 Updated by sycamoreone 2016-04-12 00:14:44

The good news: libpurple (at least in Debian uses the Cyrus SASL library, which supports SASL ANONYMOUS.

The not so good news: I can’t find a mention of anonymous logins or SASL ANONYMOUS in the Pidgin documentation and so far I haven’t found a public XMPP server that supports anonymous authentication for testing.. Next steps are to (1) look into the source tree, (2) ask Pidgin/XMPP people, and if necessary (3) set up a local Prosody server to try how Pidgin behaves.

#4 Updated by sycamoreone 2016-04-12 00:59:00

Setting up Prosody with SASL ANONYMOUS is in fact really easy, but this is what I get from Pidgin when I try to configure an account using the usual assistant:

(07:50:43) proxy: Connected to 127.0.0.1:5222.
(07:50:43) jabber: Sending (a@localhost):

(07:50:43) jabber: Sending (a@localhost):
(07:50:43) jabber: Recv (326):

ANONYMOUS
(07:50:43) sasl: Mechs found: ANONYMOUS
(07:50:43) sasl: No worthy mechs found
(07:50:43) connection: Connection error on 0x7fbcfec9b270 (reason: 3 description: Server does not use any supported authentication method)
(07:50:43) account: Disconnecting account a@localhost/ (0x7fbcfe1abb10)

#5 Updated by sycamoreone 2016-04-12 01:11:59

In libpurple/protocols/jabber/auth_cyrus.c:211 one finds

static JabberSaslState
jabber_auth_start_cyrus(JabberStream *js, PurpleXmlNode **reply, char **error)
{
    [...]
    sasl_security_properties_t secprops;
    gboolean again;
    gboolean plaintext = TRUE;

    /* Set up security properties and options */
    secprops.min_ssf = 0;
    secprops.security_flags = SASL_SEC_NOANONYMOUS;

    [...]

SASL_SEC_NOANONYMOUS is documented to mean " don’t permit mechanisms that allow anonymous login".

tl;dr SASL ANONYMOUS won’t work with Pidgin. Anonymous accounts with a standard password are still an option, but I don’t know yet, how this can be configured in standard XMPP servers.

#8 Updated by sajolida 2016-04-18 02:00:59

Moving Feature #11306#note-4 here. Tor uses anonymous logins on XMPP for live and one-time user support sessions. We could ask them for tricks or if we can use it for testing
maybe. Lunar set it up I think.

#10 Updated by sycamoreone 2016-08-18 01:28:56

sajolida wrote:
> Tor uses anonymous logins on XMPP for live and one-time user support sessions. We could ask them for tricks or if we can use it for testing maybe. Lunar set it up I think.

I asked Lunar about their setup. It is documented here in the Tor Project’s Trac.

The setup is based on Prosody and also features a webchat.

#14 Updated by anonym 2017-09-28 16:26:50

FWIW, Tor Messenger 0.5.0b1 (released today) supports “temporary XMPP accounts” (via jabber.otr.im) which I guess is what this ticket is about.

#15 Updated by anonym 2017-09-28 16:30:14

anonym wrote:
> FWIW, Tor Messenger 0.5.0b1 (released today) supports “temporary XMPP accounts” (via jabber.otr.im) which I guess is what this ticket is about.

Actually I think it’s something different, just in-band registration with random nick/password. But I believe it solves the same problem as SASL ANONYMOUS would for us.