You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2019/10/24 13:57:00 UTC

[jira] [Commented] (PROTON-2124) Disable GS2-KRB5 SASL mechanism if it is not explicitly enabled

    [ https://issues.apache.org/jira/browse/PROTON-2124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16958908#comment-16958908 ] 

ASF GitHub Bot commented on PROTON-2124:
----------------------------------------

jdanekrh commented on pull request #199: PROTON-2124 Disable GS2-KRB5 SASL mechanism if it is not explicitly enabled
URL: https://github.com/apache/qpid-proton/pull/199
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Disable GS2-KRB5 SASL mechanism if it is not explicitly enabled
> ---------------------------------------------------------------
>
>                 Key: PROTON-2124
>                 URL: https://issues.apache.org/jira/browse/PROTON-2124
>             Project: Qpid Proton
>          Issue Type: Improvement
>          Components: proton-c
>            Reporter: Jiri Daněk
>            Assignee: Andrew Stitcher
>            Priority: Major
>              Labels: release-notes, sasl, usability
>             Fix For: proton-c-0.24.0
>
>
> I've noticed two additional kerberos sasl mechanisms that aren't blacklisted
> bq. [0xb80670]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:"GS2-IAKERB", :"GS2-KRB5", :"SCRAM-SHA-1", :"SCRAM-SHA-256", :GSSAPI, :"GSS-SPNEGO", :"DIGEST-MD5", :OTP, :"CRAM-MD5", :ANONYMOUS]]
> They are GS2-IAKERB and GS2-KRB5. The GS2-KRB5 is the problematic one, allowing GS2-IAKERB does not stop proton from trying ANONYMOUS eventually.
> When GS2-KRB5 is enabled, I get this failure instead (in ctest tests, test 23, or when connecting {{sender}} example to {{broker}} example)
> bq. 23: amqp:unauthorized-access: SASL(-1): generic failure: GS2 Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired) (Authentication failed [mech=none])
> I think those must be new. They appear on macOS, or if I install all cyrus-sasl packages on RHEL 7.7 or RHEL 8.1.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org