Bug 902319 - Qpid authentication error '...no mechanism available: No worthy mechs found' is in some situations misleading
Summary: Qpid authentication error '...no mechanism available: No worthy mechs found' ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: Development
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: mick
QA Contact: Michal Toth
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-21 11:26 UTC by Frantisek Reznicek
Modified: 2018-03-15 10:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-15 10:44:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 747314 0 medium CLOSED [RFE] Authentication error displayed for qpid is not meaningful 2021-02-22 00:41:40 UTC

Internal Links: 747314

Description Frantisek Reznicek 2013-01-21 11:26:33 UTC 
Description of problem:

Even after qpid authentication clean-up (bug 846465) there is situation when qpidd produce misleading error:

  from c++ client
    warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)

  from python client
    Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found


This message seems to be general SASL client error also shown in case when some authentication mechanisms are restricted in /etc/sasl2/qpidd.conf:
  /etc/sasl2/qpidd.conf:mech_list: DIGEST-MD5 PLAIN

and client ommited to specify user credentials:
  qpid-send --content-string "A" --connection-options "{sasl_mechanisms:DIGEST-MD5}" -a "myq;{create: sender, delete:sender}"
  qpid-stat -g [--sasl-mechanism=DIGEST-MD5]

Error message above listed refer to situation when there is no common authentication mechanism on server and client side.
But as seen above and also below same error is reported when there is common uthentication mechanism on server and client side but just credentials are not supplied.

Version-Release number of selected component (if applicable):
  python-qpid-0.18-4.el6.noarch
  python-qpid-qmf-0.18-13.el6.x86_64
  qpid-cpp-client-0.18-13.el6.x86_64
  qpid-cpp-client-devel-0.18-13.el6.x86_64
  qpid-cpp-client-devel-docs-0.18-13.el6.noarch
  qpid-cpp-client-rdma-0.18-13.el6.x86_64
  qpid-cpp-client-ssl-0.18-13.el6.x86_64
  qpid-cpp-debuginfo-0.18-13.el6.x86_64
  qpid-cpp-server-0.18-13.el6.x86_64
  qpid-cpp-server-cluster-0.18-13.el6.x86_64
  qpid-cpp-server-devel-0.18-13.el6.x86_64
  qpid-cpp-server-ha-0.18-13.el6.x86_64
  qpid-cpp-server-rdma-0.18-13.el6.x86_64
  qpid-cpp-server-ssl-0.18-13.el6.x86_64
  qpid-cpp-server-store-0.18-13.el6.x86_64
  qpid-cpp-server-xml-0.18-13.el6.x86_64
  qpid-java-client-0.18-6.el6.noarch
  qpid-java-common-0.18-6.el6.noarch
  qpid-java-example-0.18-6.el6.noarch
  qpid-jca-0.18-7.el6.noarch
  qpid-jca-xarecovery-0.18-7.el6.noarch
  qpid-jca-zip-0.18-7.el6.noarch
  qpid-qmf-0.18-13.el6.x86_64
  qpid-qmf-debuginfo-0.18-13.el6.x86_64
  qpid-qmf-devel-0.18-13.el6.x86_64
  qpid-tests-0.18-2.el6.noarch
  qpid-tools-0.18-7.el6_3.noarch
  rh-qpid-cpp-tests-0.18-13.el6.x86_64
  ruby-qpid-qmf-0.18-13.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. change mech_list: /etc/sasl2/qpidd.conf:mech_list: DIGEST-MD5 PLAIN
   make sure auth=yes is in place for /etc/qpidd.conf
   make sure cyrus-sasl-md5 is installed
2. service qpidd restart
3. qpid-stat -g --sasl-mechanism=DIGEST-MD5
   pid-send --connection-options "{sasl_mechanisms:DIGEST-MD5}" -a "Q;{create: sender, delete:sender}"
4. error should not be misleading
See below transcript for details...

Actual results:
Misleading authentication error when credentials are not provided (but mechanism can be used).

Expected results:
Corrent and clear authentication error when credentials are not provided (but mechanism can be used).

Additional info:

# server machine (check on the same machine)

[root@dhcp-37-178 ~]# grep ^mech_list $(rpm -qlc qpid-cpp-server)
/etc/sasl2/qpidd.conf:mech_list: DIGEST-MD5 PLAIN
[root@dhcp-37-178 ~]# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
guest@QPID: userPassword
[root@dhcp-37-178 ~]# grep = /etc/qpidd.conf
mgmt-pub-interval=5
cluster-name=mycluster_X.178_X.179_X.181_X.192
log-enable=debug+
log-to-file=/var/lib/qpidd/qpidd.log
auth=yes
max-negotiate-time=60000
[root@dhcp-37-178 ~]# rpm -qa | grep cyrus-sasl
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
[root@dhcp-37-178 ~]# qpid-stat -g 
Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found
[root@dhcp-37-178 ~]# qpid-stat -g --sasl-mechanism=DIGEST-MD5
Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found
[root@dhcp-37-178 ~]# qpid-stat -g -b guest/guest@localhost --sasl-mechanism=DIGEST-MD5 
Broker Summary:
  uptime   cluster                                                                connections  sessions  exchanges  queues
  ==========================================================================================================================
  10m 24s  mycluster_X.178_X.179_X.181_X.192<ACTIVE>                              1            1         9          10


# client machine (check client<->server)

[root@dhcp-37-181 ~]# rpm -qa | grep cyrus-sasl
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 05:56:57 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 05:57:04 [Client] info Trying to connect to dhcp-37-178...
2013-01-21 05:57:04 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{username:guest}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 05:57:15 [Client] info Trying to connect to dhcp-37-178...
Please enter your password
2013-01-21 05:57:17 [Security] info Installing security layer,  SSF: 128
2013-01-21 05:57:17 [Client] info Connected to dhcp-37-178
0
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{username:guest, password:guest}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 05:57:26 [Client] info Trying to connect to dhcp-37-178...
2013-01-21 05:57:26 [Security] info Installing security layer,  SSF: 128
2013-01-21 05:57:26 [Client] info Connected to dhcp-37-178
0
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{sasl_mechanisms:DIGEST-MD5}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 06:12:49 [Client] info Trying to connect to dhcp-37-178...
2013-01-21 06:12:49 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{sasl_mechanisms:DIGEST-MD5, username:guest}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 06:13:32 [Client] info Trying to connect to dhcp-37-178...
Please enter your password
2013-01-21 06:13:34 [Security] info Installing security layer,  SSF: 128
2013-01-21 06:13:34 [Client] info Connected to dhcp-37-178
0
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{sasl_mechanisms:DIGEST-MD5, username:guest, password:guest}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 06:13:42 [Client] info Trying to connect to dhcp-37-178...
2013-01-21 06:13:42 [Security] info Installing security layer,  SSF: 128
2013-01-21 06:13:42 [Client] info Connected to dhcp-37-178
0
Comment 1 Frantisek Reznicek 2013-02-07 12:34:33 UTC 
Same problem appears in auth=no mode, see bug 908749 comment 0, specifically cases ABCD6 and ABCD9.
Comment 2 Michal Toth 2015-08-11 11:34:30 UTC 
Manually retested this forgotten bug using the latest 3.2.0 packages on both rhel6 archs, and rhel7.
"No worthy mechs found" is not always showing up. Instead, meaningful errors are reported like 
"qpid-send: Can't authenticate using PLAIN DIGEST-MD5"

Desired mechanism(s) not valid: CRAM-MD5 (supported: DIGEST-MD5 PLAIN) (/builddir/build/BUILD/qpid-cpp-0.34/src/qpid/client/ConnectionHandler.cpp:260)

Anonymous connections disabled, missing credentials

qpid-cpp-server-0.34-1.el6.i686
qpid-cpp-client-0.34-1.el6.i686
python-qpid-0.34-1.el6.noarch

Marking as verified
Comment 4 Sage Grigull 2018-03-12 00:42:21 UTC 
can this be marked as closed yet ?
Note You need to log in before you can comment on or make changes to this bug.