Uploaded image for project: 'Qpid Proton'
  1. Qpid Proton
  2. PROTON-2124

Disable GS2-KRB5 and GS2-IAKERB SASL mechanisms if they are not explicitly enabled

    XMLWordPrintableJSON

Details

    Description

      I've noticed two additional kerberos sasl mechanisms that aren't blacklisted

      [0xb80670]:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:"GS2-IAKERB", :"GS2-KRB5", :"SCRAM-SHA-1", :"SCRAM-SHA-256", :GSSAPI, :"GSS-SPNEGO", :"DIGEST-MD5", :OTP, :"CRAM-MD5", :ANONYMOUS]]

      They are GS2-IAKERB and GS2-KRB5. The GS2-KRB5 is the problematic one, allowing GS2-IAKERB does not stop proton from trying ANONYMOUS eventually.

      When GS2-KRB5 is enabled, I get this failure instead (in ctest tests, test 23, or when connecting sender example to broker example)

      23: amqp:unauthorized-access: SASL(-1): generic failure: GS2 Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) (Authentication failed [mech=none])

      I think those must be new. They appear on macOS, or if I install all cyrus-sasl packages on RHEL 7.7 or RHEL 8.1.

      Attachments

        Issue Links

          is a clone of

          Improvement - An improvement or enhancement to an existing feature or task. PROTON-1354 Disable GSSAPI and GSS-SPNEGO SASL mechanisms if they are not explicitly enabled

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #199

          Activity

            People

              jdanek Jiri Daněk
              jdanek Jiri Daněk
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: