Uploaded image for project: 'Qpid Proton'
  1. Qpid Proton
  2. PROTON-2124

Disable GS2-KRB5 and GS2-IAKERB SASL mechanisms if they are not explicitly enabled

    XMLWordPrintableJSON

    Details

      Description

      I've noticed two additional kerberos sasl mechanisms that aren't blacklisted

      [0xb80670]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:"GS2-IAKERB", :"GS2-KRB5", :"SCRAM-SHA-1", :"SCRAM-SHA-256", :GSSAPI, :"GSS-SPNEGO", :"DIGEST-MD5", :OTP, :"CRAM-MD5", :ANONYMOUS]]

      They are GS2-IAKERB and GS2-KRB5. The GS2-KRB5 is the problematic one, allowing GS2-IAKERB does not stop proton from trying ANONYMOUS eventually.

      When GS2-KRB5 is enabled, I get this failure instead (in ctest tests, test 23, or when connecting sender example to broker example)

      23: amqp:unauthorized-access: SASL(-1): generic failure: GS2 Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) (Authentication failed [mech=none])

      I think those must be new. They appear on macOS, or if I install all cyrus-sasl packages on RHEL 7.7 or RHEL 8.1.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jdanek Jiri Daněk
                Reporter:
                jdanek Jiri Daněk
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: