qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lorenz Quack (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-6540) Add ability to disable one or more of an authentication provider's mechanisms
Date Tue, 12 May 2015 11:26:00 GMT
Lorenz Quack created QPID-6540:

             Summary: Add ability to disable one or more of an authentication provider's mechanisms
                 Key: QPID-6540
                 URL: https://issues.apache.org/jira/browse/QPID-6540
             Project: Qpid
          Issue Type: Improvement
          Components: Java Broker
    Affects Versions: 0.32
            Reporter: Lorenz Quack

Currently authentication providers such as the Scam Providers offer the client a choice to
authenticate using mechanisms PLAIN or SCRAM_SHA. The former is already restricted to those
using a secure transport.

If a client chooses SCRAM_SHA, then the secret is the salted password (stored within Broker
configuration) rather than the plain password itself.

If an attacker has access to the salted password, then they can use it to login via this mechanism.

It would be good if an authentication provider had the ability to disable one or more mechanisms.
Then an authentication provider such as SCRAM could be configured to accept only PLAIN (which
would be accepted only over SSL), which would force the user to be in possession of the clear
text password.

A port should verify that the given authentication provider exposes at least one usable mechanism.
That is, if a plain port is configured with a Auth Provider with only plain, presumably, the
Port should fail to start.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message