You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (Jira)" <ji...@apache.org> on 2019/10/24 13:36:00 UTC
[jira] [Updated] (PROTON-2124) Disable GS2-KRB5 SASL mechanism if
it is not explicitly enabled
[ https://issues.apache.org/jira/browse/PROTON-2124?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jiri Daněk updated PROTON-2124:
-------------------------------
Description:
I've noticed two additional kerberos sasl mechanisms that aren't blacklisted
bq. [0xb80670]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:"GS2-IAKERB", :"GS2-KRB5", :"SCRAM-SHA-1", :"SCRAM-SHA-256", :GSSAPI, :"GSS-SPNEGO", :"DIGEST-MD5", :OTP, :"CRAM-MD5", :ANONYMOUS]]
They are GS2-IAKERB and GS2-KRB5. The GS2-KRB5 is the problematic one, allowing GS2-IAKERB does not stop proton from trying ANONYMOUS eventually.
When GS2-KRB5 is enabled, I get this failure instead (in ctest tests, test 23, or when connecting {{sender}} example to {{broker}} example)
bq. 23: amqp:unauthorized-access: SASL(-1): generic failure: GS2 Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) (Authentication failed [mech=none])
I think those must be new. They appear on macOS, or if I install all cyrus-sasl packages on RHEL 7.7 or RHEL 8.1.
was:
Disable GSSAPI and GSS-SPNEGO SASL mechanisms if they are not explicitly enabled. See [this comment|https://issues.apache.org/jira/browse/PROTON-1354?focusedCommentId=16528272&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16528272] below for more details on enabling the mechanisms again.
> Disable GS2-KRB5 SASL mechanism if it is not explicitly enabled
> ---------------------------------------------------------------
>
> Key: PROTON-2124
> URL: https://issues.apache.org/jira/browse/PROTON-2124
> Project: Qpid Proton
> Issue Type: Improvement
> Components: proton-c
> Reporter: Jiri Daněk
> Assignee: Andrew Stitcher
> Priority: Major
> Labels: release-notes, sasl, usability
> Fix For: proton-c-0.24.0
>
>
> I've noticed two additional kerberos sasl mechanisms that aren't blacklisted
> bq. [0xb80670]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:"GS2-IAKERB", :"GS2-KRB5", :"SCRAM-SHA-1", :"SCRAM-SHA-256", :GSSAPI, :"GSS-SPNEGO", :"DIGEST-MD5", :OTP, :"CRAM-MD5", :ANONYMOUS]]
> They are GS2-IAKERB and GS2-KRB5. The GS2-KRB5 is the problematic one, allowing GS2-IAKERB does not stop proton from trying ANONYMOUS eventually.
> When GS2-KRB5 is enabled, I get this failure instead (in ctest tests, test 23, or when connecting {{sender}} example to {{broker}} example)
> bq. 23: amqp:unauthorized-access: SASL(-1): generic failure: GS2 Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) (Authentication failed [mech=none])
> I think those must be new. They appear on macOS, or if I install all cyrus-sasl packages on RHEL 7.7 or RHEL 8.1.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org