Using client certificates to login¶
Passwordless authentication is possible in XMPP through the use of mechanisms such as SASL External. This mechanism has to be supported by both the client and the server. This page does not cover the server setup, but prosody has a mod_client_certs module which can perform this kind of authentication, and also helps you create a self-signed certificate.
Poezio configuration¶
If you created a certificate using the above link, you should have at least
two files, a .crt
(public key in PEM format) and a .key
(private key
in PEM format).
You only have to store the files wherever you want and set keyfile
with the path to the private key (.key
), and certfile with the
path to the public key (.crt
).
Authorizing your keys¶
Now your poezio is setup to try to use client certificates at each connection. However, you still need to inform your XMPP server that you want to allow those keys to access your account.
This is done through /cert_add. Once you have added your certificate, you can try to connect without a password by commenting the option.
Note
The /cert_add command and the others are only available if your server supports them.
Next¶
Now that this is setup, you might want to use /certs to list the keys currently known by your XMPP server, /cert_revoke or /cert_disable to remove them, and /cert_fetch to retrieve a public key.