Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- messenger:jabber_xmpp [2021-04-16 00:19:03] – ["Prosody" auf FreeBSD 12 installieren] manfred
+++ messenger:jabber_xmpp [2021-04-16 00:43:20] (aktuell) – ["Prosody" auf FreeBSD 12 installieren] manfred
@@ Zeile 1: / Zeile 1: @@
+====== Jabber / XMPP ======
+[[https://de.wikipedia.org/wiki/Jabber_Instant_Messenger|Jabber]] ist ein "Instant Messenger"-Protokoll, mit dem es möglich ist über verschlüsselte Kanäle zu chatten.
+[[https://www.golem.de/0104/13580.html|Im April 2001 wurde vom Jabber - Instant Messenger die Version 1.7 veröffentlicht. - ... So unterstützt der neue Jabber Instant Messenger (JIM) Client automatische Verschlüsselung aller lokal gespeicherten Nachrichten und Passwörter sowie eine sichere Kommunikation über SSL. ...]]
+[[https://de.wikipedia.org/wiki/Jabber_Instant_Messenger|Jabber]] konkurierte mit [[https://de.wikipedia.org/wiki/ICQ|ICQ]].
+[[https://de.wikipedia.org/wiki/ICQ|ICQ]] wurde 1996 in Israel entwickelt, 1998 an AOL verkauft und 2010 nach Russland verkauft, die alten Zugänge funktionieren immer noch.
+===== Jabber-Server installieren =====
+[[https://www.linux-magazin.de/ausgaben/2015/04/einfuehrung2/|Aus Linux-Magazin 04/2015 - Aus dem Alltag eines Sysadmin: Prosody]]
+==== "Prosody" auf FreeBSD 12 installieren ====
+**Prosody in der Version 0.11.2 kann schon Verschlüsselung mit "TLS 1.3".**
+Eigentlich wollte ich eJabber haben aber als mir die Konfiguration zu kompliziert wurde, habe ich mich für Prosody entschieden.
+als erstes das Programm installieren
+  > pkg install net-im/prosody net-im/prosody-modules
+Die Besonderheit von [[https://de.wikipedia.org/wiki/Jabber_Instant_Messenger|Jabber]] gegenüber [[https://de.wikipedia.org/wiki/ICQ|ICQ]] ist die verschlüsselte Kommunikation.
+Deshalb werden wir uns gleich einen SSL-Schlüssel mit selbst signiertem Zertifikat erstellen.
+Für einen öffentlichen Server sollte man sich schon ein ordentliches holen aber als Familien-Chat und für Freunde, reicht ein selbst signiertes Zertifikat aus.
+Denn verschlüsseln tun beide genauso gut (oder schlecht).
+  > openssl req -rand /dev/urandom -new -x509 -newkey rsa:4096 -sha512 -nodes -keyout /usr/local/etc/prosody/certs/prosody.pem -keyform PEM -out /usr/local/etc/prosody/certs/prosody.pem -outform PEM -days 7000 -subj /emailAddress=fritz@gmx.net/C=DE/ST=Hessen/L=Frankfurt/O=privat/OU=ich/CN=domain.lan
+  > chmod 0600 /usr/local/etc/prosody/certs/prosody.pem
+  > chown prosody:prosody /usr/local/etc/prosody/certs/prosody.pem
+Konfigurationsdatei bearbeiten (ggf. die Modul-Zeile an die richtige stelle eintragen, die E-Mail-Adresse und den Hostnamen eintragen):
+  > vi /usr/local/etc/prosody/prosody.cfg.lua
+  ...
+  plugin_paths = { "/usr/local/lib/prosody-modules" }
+  ...
+startfähig machen
+  > echo 'prosody_enable="YES"' >> /etc/rc.conf
+... hier meine Version:
+<file lua /usr/local/etc/prosody/prosody.cfg.lua>
+-- Prosody Example Configuration File
+--
+-- Information on configuring Prosody can be found on our
+-- website at https://prosody.im/doc/configure
+--
+-- Tip: You can check that the syntax of this file is correct
+-- when you have finished by running this command:
+--     prosodyctl check config
+-- If there are any errors, it will let you know what and where
+-- they are, otherwise it will keep quiet.
+--
+-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
+-- blanks. Good luck, and happy Jabbering!
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see https://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
+admins = { "admin@domain.lan" }
+-- Enable use of libevent for better performance under high load
+-- For more information see: https://prosody.im/doc/libevent
+--use_libevent = true
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+plugin_paths = { "/usr/local/lib/prosody-modules" }
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
+modules_enabled = {
+        -- Generally required
+                "roster"; -- Allow users to have a roster. Recommended ;)
+                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+                "tls"; -- Add support for secure TLS on c2s/s2s connections
+                "dialback"; -- s2s dialback support
+                "disco"; -- Service discovery
+        -- Not essential, but recommended
+                "carbons"; -- Keep multiple clients in sync
+                "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+                "private"; -- Private XML storage (for room bookmarks, etc.)
+                "blocklist"; -- Allow users to block communications with other users
+                "vcard4"; -- User profiles (stored in PEP)
+                "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+        -- Nice to have
+                "version"; -- Replies to server version requests
+                "uptime"; -- Report how long server has been running
+                "time"; -- Let others know the time here on this server
+                "ping"; -- Replies to XMPP pings with pongs
+                "register"; -- Allow users to register on this server using a client and change passwords
+                --"mam"; -- Store messages in an archive and allow users to access it
+                --"csi_simple"; -- Simple Mobile optimizations
+        -- Admin interfaces
+                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+                --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
+        -- HTTP modules
+                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+                --"websocket"; -- XMPP over WebSockets
+                --"http_files"; -- Serve static files from a directory over HTTP
+        -- Other specific functionality
+                --"limits"; -- Enable bandwidth limiting for XMPP connections
+                --"groups"; -- Shared roster support
+                --"server_contact_info"; -- Publish contact information for this service
+                --"announce"; -- Send announcement to all online users
+                --"welcome"; -- Welcome users who register accounts
+                --"watchregistrations"; -- Alert admins of registrations
+                --"motd"; -- Send a message to users when they log in
+                --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+                --"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+}
+-- These modules are auto-loaded, but should you want
+-- to disable them then uncomment them here:
+modules_disabled = {
+        -- "offline"; -- Store offline messages
+        -- "c2s"; -- Handle client connections
+        -- "s2s"; -- Handle server-to-server connections
+        -- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+}
+-- Disable account creation by default, for security
+-- For more information see https://prosody.im/doc/creating_accounts
+--allow_registration = false
+allow_registration = true
+-- Force clients to use encrypted connections? This option will
+-- prevent clients from authenticating unless they are using encryption.
+c2s_require_encryption = true
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+s2s_require_encryption = true
+-- Force certificate authentication for server-to-server connections?
+s2s_secure_auth = false
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
+--s2s_insecure_domains = { "insecure.example" }
+-- Even if you disable s2s_secure_auth, you can still require valid
+-- certificates for some domains by specifying a list here.
+--s2s_secure_domains = { "jabber.org" }
+-- Wenn diese pidfile-Sektion nicht an dieser Stelle steht,
+-- dann bekommt man beim Start die folgende Fehlermeldung:
+-- There is no 'pidfile' option in the configuration file, see https://prosody.im/doc/prosodyctl#pidfile for help
+--
+-- Required for init scripts and prosodyctl
+--pidfile = "/usr/local/var/lib/prosody/prosody.pid"
+pidfile = "/var/run/prosody/prosody.pid"
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+authentication = "internal_hashed"
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See https://prosody.im/doc/storage for more info.
+--storage = "sql" -- Default is "internal"
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+-- Logging configuration
+-- For advanced logging see https://prosody.im/doc/logging
+log = {
+        info = "prosody.log"; -- Change 'info' to 'debug' for verbose logging
+        error = "prosody.err";
+        -- "*syslog"; -- Uncomment this for logging to syslog
+        -- "*console"; -- Log to the console, useful for debugging with daemonize=false
+}
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+-- HTTPS currently only supports a single certificate, specify it here:
+--https_certificate = "/usr/local/etc/prosody/certs/localhost.crt"
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+--VirtualHost "localhost"
+VirtualHost "domain.lan"
+--VirtualHost "example.com"
+--      certificate = "/path/to/example.crt"
+certificate = "/usr/local/etc/prosody/certs/prosody.pem"
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+--Component "conference.example.com" "muc"
+--- Store MUC messages in an archive and allow users to access it
+--modules_enabled = { "muc_mam" }
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: https://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--      component_secret = "password"
+</file>
+Ich habe die folgenden Sektionen angepasst:
+  * ''admins = ''
+  * ''allow_registration = ''
+  * ''pidfile = ''
+  * ''VirtualHost = ''
+  * ''certificate = ''
+ACHTUNG!\\
+Wenn die Sektion "''pidfile = ''..." unten an die Konfigurationsdatei angehängt wird, dann bekommt man diese Fehlermeldung:
+  There is no 'pidfile' option in the configuration file, see https://prosody.im/doc/prosodyctl#pidfile for help
+  > /usr/local/etc/rc.d/prosody start
+  Started
+  > /usr/local/etc/rc.d/prosody status
+  Prosody is running with PID 25683
+Wenn der Server gestartet ist, dann sollten die üblichen Ports offen sein:
+  > netstat -anNp tcp | fgrep '52'
+  tcp4       0      0 *.5269                 *.*                    LISTEN
+  tcp6       0      0 *.5269                 *.*                    LISTEN
+  tcp4       0      0 *.5222                 *.*                    LISTEN
+  tcp6       0      0 *.5222                 *.*                    LISTEN
+So, und jetzt einen XMPP-fähigen Client installieren und los geht der Spaß.
+=== "Prosody" - Bedienung ===
+<file bash about>
+# prosodyctl about
+Prosody 0.11.4
+# Prosody directories
+Data directory:     /var/db/prosody
+Config directory:   /usr/local/etc/prosody
+Source directory:   /usr/local/lib/prosody
+Plugin directories:
+  /usr/local/lib/prosody-modules
+  /usr/local/lib/prosody/modules/
+# Lua environment
+Lua version:                    Lua 5.2
+Lua module search paths:
+  /usr/local/lib/prosody/?.lua
+  /usr/local/share/lua/5.2/?.lua
+  /usr/local/share/lua/5.2/?/init.lua
+  /usr/local/lib/lua/5.2/?.lua
+  /usr/local/lib/lua/5.2/?/init.lua
+Lua C module search paths:
+  /usr/local/lib/prosody/?.so
+  /usr/local/lib/lua/5.2/?.so
+  /usr/local/lib/lua/5.2/loadall.so
+LuaRocks:               Not installed
+# Network
+Backend: select
+# Lua module versions
+lfs:            LuaFileSystem 1.6.3
+lxp:            LuaExpat 1.3.0
+socket:         LuaSocket 3.0-rc1
+ssl:            0.9
+</file>
+auch kann man noch ein paar Basis-Kontrollen durchlauen lassen:
+  # prosodyctl check
+die Benutzer kann man so anlegen:
+  # prosodyctl adduser fritz@domain.lan
+die Passwörter der Benutzer kann man so ändern:
+  # prosodyctl passwd fritz@domain.lan
+einen Benutzer kann man so löschen:
+  # prosodyctl deluser fritz@domain.lan
+===== Jabber-Client =====
+==== Unix/FreeBSD/Linux ====
+=== "PidGin" konfigurieren ===
+**Leider unterstützt PidGin z.Z. (2019) noch nicht die OMEMO-Verschlüsselung! Als Alternative sei [[https://gajim.org/|Gajim]] genannt.**
+Als erstes laden wir [[https://pidgin.im/download/|PidGin]] runter und installieren es.
+Die Konfiguration erfolgt dann jetzt in sechs Bildern:
+{{ :bilder:pidgin_1.png |}}
+{{ :bilder:pidgin_2.png |}}
+{{ :bilder:pidgin_3.png |}}
+{{ :bilder:pidgin_4.png |}}
+{{ :bilder:pidgin_5.png |}}
+{{ :bilder:pidgin_6.png |}}
+Das letzte Bild kommen nur, weil wir ein selbst signiertes Zertifikat verwenden.
+Um eine Verbindung aufzbauen, benötigt man einen Kontakt.
+Das Menü, zum hinzufügen von Kontakten kann man entweder mit ''[Strg]''+''[B]'' oder über -> ''Kontakte'' -> ''Kontakt hinzufügen...'' öffnen.
+In diesem Menü muß der Kontakt in "''Benutzername des Kontakts:''" in dieser Form eingegeben werden: **''fritz@domain.lan''**
+Die anderen Felder kann man ausfüllen, muss es aber nicht.
+Jetzt bekommt der "Kontakt" eine Anfrage, dass er Dich authorisieren soll.
+Wenn er das auch tut, wirst Du auch eine Anfrage zum authorisieren bekommen.
+__Nur wenn beide sich gegenseitig auf diese Weise authorisiert haben, können sie sich gegenseitig Nachrichten schreiben.__
+==== Windows ====
+[[https://news.softpedia.com/news/Best-5-Jabber-Clients-for-Windows-in-Pictures-86636.shtml|Best 5 Jabber Clients for Windows in Pictures]]
+  * **''[[https://jitsi.org/|Jitsi]]''** - es unterstützt nicht nur Audio- sondern auch Video-Anrufe
+    * [[https://desktop.jitsi.org/Main/Download.html|Microsoft Windows installers]]
+  * **''[[https://gajim.org/|Gajim]]''** - kann auch die OMEMO-Verschlüsselung!
+    * [[https://gajim.org/downloads.php?lang=de#windows|Von Gajim gibt es für Windows sogar eine portable Version.]]
+  * **''[[https://www.softpedia.com/get/Internet/Chat/Instant-Messaging/Pidgin.shtml|Pidgin]]''**
+==== Android ====
+  * **''[[https://jitsi.org/|Jitsi]]''** - es unterstützt nicht nur Audio- sondern auch Video-Anrufe
+    * [[https://www.appsdirectory.de/herunterladen/jitsi-meet/|Herunterladen Jitsi Meet]]
+  * **''[[https://play.google.com/store/apps/details?id=com.xabber.android&hl=en_US|Xabber]]''**