qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "michael j. goulish (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (QPID-3337) eliminate guest/guest default username/password and use an explicit sasl mechanism list
Date Wed, 06 Jul 2011 20:15:17 GMT

     [ https://issues.apache.org/jira/browse/QPID-3337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

michael j. goulish resolved QPID-3337.

    Resolution: Fixed

checkin 1143536 .

> eliminate guest/guest default username/password and use an explicit sasl mechanism list
> ---------------------------------------------------------------------------------------
>                 Key: QPID-3337
>                 URL: https://issues.apache.org/jira/browse/QPID-3337
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>            Reporter: michael j. goulish
>            Assignee: michael j. goulish
>             Fix For: 0.14
> Currently, we default to using the system-default sasl mechanisms list.  That
> list will include GSSAPI if the package is installed on the user's system.  But
> merely installing the GSSAPI package does not prepare qpidd to use GSSAPI.  The
> user must perform specific config steps to make it work.  And, since GSSAPI
> will be selected before other mechanisms, this means that many users will see
> qpidd fail as soon as they try  --auth=yes  .
> It also seems dangerous to allow PLAIN, since users who install qpidd will then
> have an insecure system by default.
> By accepting the system-default list we are allowing too many user-surprises.
> The solution is to explicitly control the mech list, probably only allowing a
> single mechanism such as DIGEST-MD5, and give the user sufficient instruction
> on how to set up other mechanisms when they are desired.
> NOTE -- I am also allowing  ANONYMOUS, because some python tools do not yet know how
to send credentials, and this will allow them to continue working.

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org

View raw message