New SASL authentication method: SCRAM-SHA-1 (thanks to Stephen Röttger)(EJAB-1196)

1 files changed, 20 insertions, 1 deletions

diff --git a/doc/guide.tex b/doc/guide.tex
index 35636dcf3..890b1bff7 100644
--- a/doc/guide.tex
+++ b/doc/guide.tex
@@ -1225,12 +1225,31 @@ When the storage is configured for ODBC, the ODBC server is
 configured with the \term{odbc\_server} option, see
 \ref{mysql} for MySQL, \ref{pgsql} for PostgreSQL, \ref{mssql} for MSSQL, and \ref{odbc} for generic ODBC.
 
+The option \term{\{auth\_password\_format, plain|scram\}}
+defines in what format the users passwords are stored:
+\begin{description}
+    \titem{plain}
+    The password is stored as plain text in the database.
+    This is risky because the passwords can be read if your database gets compromised.
+    This is the default value.
+    This format allows clients to authenticate using:
+    the old Jabber Non-SASL (\xepref{0078}), \term{SASL PLAIN},
+    \term{SASL DIGEST-MD5}, and \term{SASL SCRAM-SHA-1}.
+
+    \titem{scram}
+    The password is not stored, only some information that allows to verify the hash provided by the client.
+    It is impossible to obtain the original plain password from the stored information;
+    for this reason, when this value is configured it cannot be changed to \term{plain} anymore.
+    This format allows clients to authenticate using: \term{SASL PLAIN} and \term{SASL SCRAM-SHA-1}.
+\end{description}
+
 Examples:
 \begin{itemize}
-\item To use internal Mnesia storage on all virtual hosts:
+\item To use internal Mnesia storage with hashed passwords on all virtual hosts:
 \begin{verbatim}
 {auth_method, storage}.
 {auth_storage, mnesia}.
+{auth_password_format, scram}.
 \end{verbatim}
 \item To use ODBC storage on all virtual hosts:
 \begin{verbatim}