You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "michael j. goulish (JIRA)" <ji...@apache.org> on 2011/07/06 22:15:17 UTC

[jira] [Resolved] (QPID-3337) eliminate guest/guest default username/password and use an explicit sasl mechanism list

     [ https://issues.apache.org/jira/browse/QPID-3337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

michael j. goulish resolved QPID-3337.
--------------------------------------

    Resolution: Fixed

checkin 1143536 .

> eliminate guest/guest default username/password and use an explicit sasl mechanism list
> ---------------------------------------------------------------------------------------
>
>                 Key: QPID-3337
>                 URL: https://issues.apache.org/jira/browse/QPID-3337
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>            Reporter: michael j. goulish
>            Assignee: michael j. goulish
>             Fix For: 0.14
>
>
> Currently, we default to using the system-default sasl mechanisms list.  That
> list will include GSSAPI if the package is installed on the user's system.  But
> merely installing the GSSAPI package does not prepare qpidd to use GSSAPI.  The
> user must perform specific config steps to make it work.  And, since GSSAPI
> will be selected before other mechanisms, this means that many users will see
> qpidd fail as soon as they try  --auth=yes  .
> It also seems dangerous to allow PLAIN, since users who install qpidd will then
> have an insecure system by default.
> By accepting the system-default list we are allowing too many user-surprises.
> The solution is to explicitly control the mech list, probably only allowing a
> single mechanism such as DIGEST-MD5, and give the user sufficient instruction
> on how to set up other mechanisms when they are desired.
> NOTE -- I am also allowing  ANONYMOUS, because some python tools do not yet know how to send credentials, and this will allow them to continue working.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org