1. Qpid
  2. QPID-3337

eliminate guest/guest default username/password and use an explicit sasl mechanism list


    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.14
    • Component/s: C++ Broker
    • Labels:


      Currently, we default to using the system-default sasl mechanisms list. That
      list will include GSSAPI if the package is installed on the user's system. But
      merely installing the GSSAPI package does not prepare qpidd to use GSSAPI. The
      user must perform specific config steps to make it work. And, since GSSAPI
      will be selected before other mechanisms, this means that many users will see
      qpidd fail as soon as they try --auth=yes .

      It also seems dangerous to allow PLAIN, since users who install qpidd will then
      have an insecure system by default.

      By accepting the system-default list we are allowing too many user-surprises.

      The solution is to explicitly control the mech list, probably only allowing a
      single mechanism such as DIGEST-MD5, and give the user sufficient instruction
      on how to set up other mechanisms when they are desired.

      NOTE – I am also allowing ANONYMOUS, because some python tools do not yet know how to send credentials, and this will allow them to continue working.


        michael j. goulish created issue -
        michael j. goulish added a comment -

        checkin 1143536 .

        michael j. goulish added a comment - checkin 1143536 .
        michael j. goulish made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Justin Ross made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        1h 1m 1 michael j. goulish 06/Jul/11 21:14
        Resolved Resolved Closed Closed
        753d 22h 40m 1 Justin Ross 29/Jul/13 19:54


          • Assignee:
            michael j. goulish
            michael j. goulish
          • Votes:
            0 Vote for this issue
            0 Start watching this issue


            • Created: