Uploaded image for project: 'Qpid Dispatch'
  1. Qpid Dispatch
  2. DISPATCH-472

Default value of authenticatePeer parameter in listener configuration

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      The authenticatePeer parameter in listener configuration has currently default value "no". I believe this can lead to misunderstandings causing security issues. Consider listener configured as this:

      listener { 
          role: normal 
          host: 0.0.0.0 
          port: amqp 
          saslMechanisms: PLAIN DIGEST-MD5 CRAM-MD5 
      } 
      

      It has configured SASL authentication using username and password and on a first look one might believe that such listener is configured properly. However, because of missing "authenticatePeer: yes" parameter, it is still possible to connect anonymously without the SASL layer.

      I believe it would be much better to have either set authenticatePeer parameter to yes by default all the time or at least when SASL is configured.

      Please have a look at the related discussion from the mailing list:
      http://qpid.2158936.n2.nabble.com/Dispatch-Default-value-of-authenticatePeer-td7648676.html

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            scholzj Jakub Scholz

            Dates

              Created:
              Updated:

              Slack

                Issue deployment