Bug 675713

Summary:	qpid broker-client authentication mechanism auto-selection is unpredictable (when mechanism is not selected manually)
Product:	Red Hat Enterprise MRG	Reporter:	Frantisek Reznicek <freznice>
Component:	qpid-cpp	Assignee:	mick <mgoulish>
Status:	CLOSED CURRENTRELEASE	QA Contact:	MRG Quality Engineering <mrgqe-bugs>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	1.3	CC:	esammons, iboverma, jross, tross
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-03-21 12:26:47 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Frantisek Reznicek 2011-02-07 13:48:28 UTC

Description of problem:

Authentication of client - broker without forcing authentication method on client surely depends on set of authentication mechanisms installed on target machine.

The picked authentication mechanism should be selected based on the mechanism security, i.e. when PLAIN and ANONYMOUS are both available on both client and server, then PLAIN should be used (assuming broker in auth=yes auth. mode)

There are multiple observations that above auth. mechanism selection is not done properly and less secure mechanism might be used.

Giving an easy example:
- Running broker with following config:
  [root@dhcp-37-203 ~]# cat /etc/qpidd.conf
  
  #log-enable=info+
  log-enable=debug+
  log-to-file=/tmp/qpidd.log
  auth=yes
- simple running perftest to demonstrate which mechanism is selected:
  qpid-perftest --username guest --password guest --count 1 -s


This behavior is very bad as some clients will fail to operate correctly (for instance low-latency job scheduling via qmf with credentials cumin/cumin) as in some cases (see last chapter) authentication will be done as ANONYMOUS instead of stronger and secure PLAIN.


Version-Release number of selected component (if applicable):
1.3 and later

How reproducible:
On some machines 100%, sometimes 0%

Steps to Reproduce:
1. set-up qpidd; service qpidd [re]start
2. qpid-perftest --username guest --password guest --count 1 -s
3. grep SASL <broker-log>
  
Actual results:
Authentication mechanisms are not selected predictably.

Expected results:
Authentication mechanisms should be  selected predictably.

Additional info:

Following transcripts show three different authentication mechanisms picked with the same configuration of /etc/sasl2/qpidd.conf and same installed cyrus-sasl* packages. First one selects ANONYMOUS, the second one LOGIN and third one PLAIN.



alpha] RHEL 5.6 i386
  [root@dhcp-37-202 ~]# service qpidd stop ; :> /tmp/qpidd.log ; service qpidd start
  Stopping Qpid AMQP daemon:                                 [  OK  ]
  Starting Qpid AMQP daemon:                                 [  OK  ]
  [root@dhcp-37-202 ~]# rpm -V qpid-cpp-server
  S.5....T  c /etc/qpidd.conf
  [root@dhcp-37-202 ~]# qpid-perftest --count 1 --username guest --password guest -s
  24.4072 11.6858 46.0719 0.0449921
  [root@dhcp-37-202 ~]# grep SASL /tmp/qpidd.log
  2011-02-07 13:19:26 info SASL enabled
  2011-02-07 13:19:33 info SASL: Mechanism list: ANONYMOUS LOGIN PLAIN
  2011-02-07 13:19:33 debug SASL: Starting authentication with mechanism: ANONYMOUS
  2011-02-07 13:19:33 info 127.0.0.1:5672-127.0.0.1:57067 SASL: Authentication succeeded for: anonymous@QPID
  2011-02-07 13:19:33 info SASL: Mechanism list: ANONYMOUS LOGIN PLAIN
  2011-02-07 13:19:33 debug SASL: Starting authentication with mechanism: ANONYMOUS
  2011-02-07 13:19:33 info 127.0.0.1:5672-127.0.0.1:57068 SASL: Authentication succeeded for: anonymous@QPID
  2011-02-07 13:19:33 info SASL: Mechanism list: ANONYMOUS LOGIN PLAIN
  2011-02-07 13:19:33 debug SASL: Starting authentication with mechanism: ANONYMOUS
  2011-02-07 13:19:33 info 127.0.0.1:5672-127.0.0.1:57069 SASL: Authentication succeeded for: anonymous@QPID
  2011-02-07 13:19:33 info SASL: Mechanism list: ANONYMOUS LOGIN PLAIN
  2011-02-07 13:19:33 debug SASL: Starting authentication with mechanism: ANONYMOUS
  2011-02-07 13:19:33 info 127.0.0.1:5672-127.0.0.1:57070 SASL: Authentication succeeded for: anonymous@QPID
  [root@dhcp-37-202 ~]# cat /etc/qpidd.conf
  
  #log-enable=info+
  log-enable=debug+
  
  log-to-file=/tmp/qpidd.log
  truncate=yes
  auth=yes
  [root@dhcp-37-202 ~]# rpm -qa | grep -E '(cyrus|qpid|qmf)' | sort
  cyrus-sasl-2.1.22-5.el5_4.3
  cyrus-sasl-devel-2.1.22-5.el5_4.3
  cyrus-sasl-lib-2.1.22-5.el5_4.3
  cyrus-sasl-plain-2.1.22-5.el5_4.3
  python-qmf-0.7.946106-14.el5
  python-qpid-0.7.946106-15.el5
  qmf-0.7.946106-28.el5
  qmf-devel-0.7.946106-28.el5
  qpid-cpp-client-0.7.946106-28.el5
  qpid-cpp-client-devel-0.7.946106-28.el5
  qpid-cpp-client-devel-docs-0.7.946106-28.el5
  qpid-cpp-client-ssl-0.7.946106-28.el5
  qpid-cpp-server-0.7.946106-28.el5
  qpid-cpp-server-cluster-0.7.946106-28.el5
  qpid-cpp-server-devel-0.7.946106-28.el5
  qpid-cpp-server-ssl-0.7.946106-28.el5
  qpid-cpp-server-store-0.7.946106-28.el5
  qpid-cpp-server-xml-0.7.946106-28.el5
  qpid-java-client-0.7.946106-15.el5
  qpid-java-common-0.7.946106-15.el5
  qpid-java-example-0.7.946106-15.el5
  qpid-tools-0.7.946106-12.el5
  [root@dhcp-37-202 ~]# rpm -V qpid-cpp-server
  S.5....T  c /etc/qpidd.conf
  [root@dhcp-37-202 ~]# rpm -qa | grep saslwr
  saslwrapper-0.1.934605-2.el5
  saslwrapper-devel-0.1.934605-2.el5
  ruby-saslwrapper-0.1.934605-2.el5
  python-saslwrapper-0.1.934605-2.el5
  [root@dhcp-37-202 ~]# uname -a
  Linux dhcp-37-202.lab.eng.brq.redhat.com 2.6.18-238.el5 #1 SMP Sun Dec 19 14:24:47 EST 2010 i686 i686 i386 GNU/Linux

beta] RHEL 5.6 x86_64

  [root@dhcp-37-203 ~]# service qpidd stop ; :> /tmp/qpidd.log ; service qpidd start
  Stopping Qpid AMQP daemon:                                 [  OK  ]
  Starting Qpid AMQP daemon:                                 [  OK  ]
  [root@dhcp-37-203 ~]# qpid-perftest --count 1 --username guest --password guest -s
  717.36  13.9669 358.102 0.349709
  [root@dhcp-37-203 ~]# grep SASL /tmp/qpidd.log
  2011-02-07 13:20:07 info SASL enabled
  2011-02-07 13:20:22 info SASL: Mechanism list: LOGIN PLAIN ANONYMOUS
  2011-02-07 13:20:22 debug SASL: Starting authentication with mechanism: LOGIN
  2011-02-07 13:20:22 debug SASL: sending challenge to client
  2011-02-07 13:20:22 debug SASL: sending challenge to client
  2011-02-07 13:20:22 info 127.0.0.1:5672-127.0.0.1:38571 SASL: Authentication succeeded for: guest@QPID
  2011-02-07 13:20:22 info SASL: Mechanism list: LOGIN PLAIN ANONYMOUS
  2011-02-07 13:20:22 debug SASL: Starting authentication with mechanism: LOGIN
  2011-02-07 13:20:22 debug SASL: sending challenge to client
  2011-02-07 13:20:22 debug SASL: sending challenge to client
  2011-02-07 13:20:22 info 127.0.0.1:5672-127.0.0.1:38572 SASL: Authentication succeeded for: guest@QPID
  2011-02-07 13:20:22 info SASL: Mechanism list: LOGIN PLAIN ANONYMOUS
  2011-02-07 13:20:22 debug SASL: Starting authentication with mechanism: LOGIN
  2011-02-07 13:20:22 debug SASL: sending challenge to client
  2011-02-07 13:20:22 debug SASL: sending challenge to client
  2011-02-07 13:20:22 info 127.0.0.1:5672-127.0.0.1:38573 SASL: Authentication succeeded for: guest@QPID
  2011-02-07 13:20:22 info SASL: Mechanism list: LOGIN PLAIN ANONYMOUS
  2011-02-07 13:20:22 debug SASL: Starting authentication with mechanism: LOGIN
  2011-02-07 13:20:22 debug SASL: sending challenge to client
  2011-02-07 13:20:22 debug SASL: sending challenge to client
  2011-02-07 13:20:22 info 127.0.0.1:5672-127.0.0.1:38574 SASL: Authentication succeeded for: guest@QPID
  [root@dhcp-37-203 ~]# cat /etc/qpidd.conf
  
  #log-enable=info+
  log-enable=debug+
  log-to-file=/tmp/qpidd.log
  truncate=yes
  auth=yes
  [root@dhcp-37-203 ~]# rpm -qa | grep -E '(cyrus|qpid|qmf)' | sort
  cyrus-sasl-2.1.22-5.el5_4.3
  cyrus-sasl-devel-2.1.22-5.el5_4.3
  cyrus-sasl-devel-2.1.22-5.el5_4.3
  cyrus-sasl-lib-2.1.22-5.el5_4.3
  cyrus-sasl-lib-2.1.22-5.el5_4.3
  cyrus-sasl-plain-2.1.22-5.el5_4.3
  cyrus-sasl-plain-2.1.22-5.el5_4.3
  python-qmf-0.7.946106-14.el5
  python-qpid-0.7.946106-15.el5
  qmf-0.7.946106-28.el5
  qmf-devel-0.7.946106-28.el5
  qpid-cpp-client-0.7.946106-28.el5
  qpid-cpp-client-devel-0.7.946106-28.el5
  qpid-cpp-client-devel-docs-0.7.946106-28.el5
  qpid-cpp-client-ssl-0.7.946106-28.el5
  qpid-cpp-server-0.7.946106-28.el5
  qpid-cpp-server-cluster-0.7.946106-28.el5
  qpid-cpp-server-devel-0.7.946106-28.el5
  qpid-cpp-server-ssl-0.7.946106-28.el5
  qpid-cpp-server-store-0.7.946106-28.el5
  qpid-cpp-server-xml-0.7.946106-28.el5
  qpid-java-client-0.7.946106-15.el5
  qpid-java-common-0.7.946106-15.el5
  qpid-java-example-0.7.946106-15.el5
  qpid-tools-0.7.946106-12.el5
  [root@dhcp-37-203 ~]# rpm -V qpid-cpp-server
  S.5....T  c /etc/qpidd.conf
  [root@dhcp-37-203 ~]# rpm -qa | grep saslwr
  ruby-saslwrapper-0.1.934605-2.el5
  saslwrapper-0.1.934605-2.el5
  saslwrapper-devel-0.1.934605-2.el5
  python-saslwrapper-0.1.934605-2.el5
  [root@dhcp-37-203 ~]# uname -a
  Linux dhcp-37-203.lab.eng.brq.redhat.com 2.6.18-238.el5 #1 SMP Sun Dec 19 14:22:44 EST 2010 x86_64 x86_64 x86_64 GNU/Linux

gamma] RHEL 5.6 x86_64 (another)

  [root@dhcp-26-233 /]# service qpidd stop ; :> /tmp/qpidd.log ; service qpidd start
  Stopping Qpid AMQP daemon:                                 [  OK  ]
  Starting Qpid AMQP daemon:                                 [  OK  ]
  [root@dhcp-26-233 /]# qpid-perftest --username guest --password guest --count 1 -s
  1569.86 27.6978 56.6524 0.0553246
  [root@dhcp-26-233 /]# grep SASL /tmp/qpidd.log
  2011-02-07 14:24:48 info SASL enabled
  2011-02-07 14:24:49 info SASL: Mechanism list: PLAIN ANONYMOUS LOGIN
  2011-02-07 14:24:49 debug SASL: Starting authentication with mechanism: PLAIN
  2011-02-07 14:24:49 info 127.0.0.1:5672-127.0.0.1:39662 SASL: Authentication succeeded for: guest@QPID
  2011-02-07 14:24:53 info SASL: Mechanism list: PLAIN ANONYMOUS LOGIN
  2011-02-07 14:24:53 debug SASL: Starting authentication with mechanism: PLAIN
  2011-02-07 14:24:53 info 127.0.0.1:5672-127.0.0.1:39663 SASL: Authentication succeeded for: guest@QPID
  2011-02-07 14:24:53 info SASL: Mechanism list: PLAIN ANONYMOUS LOGIN
  2011-02-07 14:24:53 debug SASL: Starting authentication with mechanism: PLAIN
  2011-02-07 14:24:53 info 127.0.0.1:5672-127.0.0.1:39664 SASL: Authentication succeeded for: guest@QPID
  2011-02-07 14:24:53 info SASL: Mechanism list: PLAIN ANONYMOUS LOGIN
  2011-02-07 14:24:53 debug SASL: Starting authentication with mechanism: PLAIN
  2011-02-07 14:24:53 info 127.0.0.1:5672-127.0.0.1:39665 SASL: Authentication succeeded for: guest@QPID
  2011-02-07 14:24:53 info SASL: Mechanism list: PLAIN ANONYMOUS LOGIN
  2011-02-07 14:24:53 debug SASL: Starting authentication with mechanism: PLAIN
  2011-02-07 14:24:53 info 127.0.0.1:5672-127.0.0.1:39666 SASL: Authentication succeeded for: guest@QPID
  [root@dhcp-26-233 /]# cat /etc/qpidd.conf
  #
  # Licensed to the Apache Software Foundation (ASF) under one
  # or more contributor license agreements.  See the NOTICE file
  # distributed with this work for additional information
  # regarding copyright ownership.  The ASF licenses this file
  # to you under the Apache License, Version 2.0 (the
  # "License"); you may not use this file except in compliance
  # with the License.  You may obtain a copy of the License at
  #
  #   http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing,
  # software distributed under the License is distributed on an
  # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  # KIND, either express or implied.  See the License for the
  # specific language governing permissions and limitations
  # under the License.
  #
  # Configuration file for qpidd. Entries are of the form:
  #   name=value
  #
  # (Note: no spaces on either side of '='). Using default settings:
  # "qpidd --help" or "man qpidd" for more details.
  cluster-mechanism=ANONYMOUS
  #cluster-name=freznice-virt-cluster
  #log-enable=info+
  log-enable=debug+
  #log-enable=trace+:management
  #log-enable=trace+
  log-to-file=/tmp/qpidd.log
  #mgmt-pub-interval=10
  
  #truncate=yes
  
  [root@dhcp-26-233 /]# rpm -qa | grep -E '(cyrus|qpid|qmf)' | sort
  cyrus-sasl-2.1.22-5.el5_4.3
  cyrus-sasl-devel-2.1.22-5.el5_4.3
  cyrus-sasl-devel-2.1.22-5.el5_4.3
  cyrus-sasl-lib-2.1.22-5.el5_4.3
  cyrus-sasl-lib-2.1.22-5.el5_4.3
  cyrus-sasl-plain-2.1.22-5.el5_4.3
  cyrus-sasl-plain-2.1.22-5.el5_4.3
  python-qmf-0.7.946106-14.el5
  python-qpid-0.7.946106-15.el5
  qmf-0.7.946106-28.el5
  qmf-devel-0.7.946106-28.el5
  qpid-cpp-client-0.7.946106-28.el5
  qpid-cpp-client-devel-0.7.946106-28.el5
  qpid-cpp-client-devel-docs-0.7.946106-28.el5
  qpid-cpp-client-ssl-0.7.946106-28.el5
  qpid-cpp-mrg-debuginfo-0.7.946106-27.el5
  qpid-cpp-server-0.7.946106-28.el5
  qpid-cpp-server-cluster-0.7.946106-28.el5
  qpid-cpp-server-devel-0.7.946106-28.el5
  qpid-cpp-server-ssl-0.7.946106-28.el5
  qpid-cpp-server-store-0.7.946106-28.el5
  qpid-cpp-server-xml-0.7.946106-28.el5
  qpid-java-client-0.7.946106-15.el5
  qpid-java-common-0.7.946106-15.el5
  qpid-java-example-0.7.946106-15.el5
  qpid-tools-0.7.946106-12.el5
  [root@dhcp-26-233 /]# rpm -V qpid-cpp-server
  S.5....T  c /etc/qpidd.conf
  [root@dhcp-26-233 /]# rpm -qa | grep saslwr
  saslwrapper-0.1.934605-2.el5
  ruby-saslwrapper-0.1.934605-2.el5
  python-saslwrapper-0.1.934605-2.el5
  saslwrapper-devel-0.1.934605-2.el5
  [root@dhcp-26-233 /]# uname -a
  Linux dhcp-26-233.brq.redhat.com 2.6.18-238.el5 #1 SMP Sun Dec 19 14:22:44 EST 2010 x86_64 x86_64 x86_64 GNU/Linux

Comment 1 Frantisek Reznicek 2011-02-07 13:57:26 UTC

From the behavior we can see the broker's authentication mechanisms listed in log file have different order:

  2011-02-07 13:19:33 info SASL: Mechanism list: ANONYMOUS LOGIN PLAIN

or

  2011-02-07 13:20:22 info SASL: Mechanism list: LOGIN PLAIN ANONYMOUS

or

  2011-02-07 14:24:49 info SASL: Mechanism list: PLAIN ANONYMOUS LOGIN


and then (if client supports those three as well) the first matching is used,
in our case it would be ANONYMOUS / LOGIN / PLAIN resp.

See Additional info section for more details.

Comment 2 Frantisek Reznicek 2011-02-07 14:07:13 UTC

Expected results (from Comment 1 / Additional info sections) are:
  if both broker and client supports ANONYMOUS and LOGIN and PLAIN, then PLAIN
should be selected automatically (as LOGIN and ANONYMOUS are less secure /
weaker authentications).

Comment 3 Justin Ross 2013-02-25 13:00:21 UTC

An update: "broker without forcing authentication method on client surely depends on set of authentication mechanisms installed on target machine".  This is no longer true.  As of 2.3, we have an explicit mech list (bug 846465).

In general, we recommend users edit the mech list to exclude less secure mechanisms.

Frantisek, what remains to fix here?  The order of client mech lists?

Comment 4 Frantisek Reznicek 2013-03-18 15:53:37 UTC

I retested the testing scenario on last stable packages and testing results prove that defect is fixed.


-> VERIFIED

[root@mrg-qe-10 messaging]# echo guest | saslpasswd2 -c -p -f /var/lib/qpidd/qpidd.sasldb -u QPID guest
[root@mrg-qe-10 messaging]# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
guest@QPID: userPassword

------------------------------------- c++ spout

[root@mrg-qe-10 messaging]# ./spout --connection-options '{username:guest, password:guest, sasl-mechanisms:PLAIN}' "ADDR1; {create:sender}"
[root@mrg-qe-10 messaging]# ./spout --connection-options '{username:guest, password:guest}' "ADDR1; {create:sender}"
[root@mrg-qe-10 messaging]# ./spout  "ADDR1; {create:sender}"
[root@mrg-qe-10 messaging]# grep SASL ~qpidd/qpidd.log
2013-03-18 11:24:51 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:24:51 [Security] info SASL: Starting authentication with mechanism: PLAIN
2013-03-18 11:24:51 [Security] info 127.0.0.1:5672-127.0.0.1:51712 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:25:31 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:25:31 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-03-18 11:25:31 [Security] debug SASL: sending challenge to client
2013-03-18 11:25:31 [Security] debug SASL: sending challenge to client
2013-03-18 11:25:31 [Security] info 127.0.0.1:5672-127.0.0.1:51713 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:31:59 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:31:59 [Security] info SASL: Starting authentication with mechanism: ANONYMOUS
2013-03-18 11:31:59 [Security] info 127.0.0.1:5672-127.0.0.1:51718 SASL: Authentication succeeded for: anonymous@QPID


------------------------------------- c++ qpid-perftest (shortened)

[root@mrg-qe-10 messaging]# qpid-perftest --count 1 -s
25.1315 8.29734 49.1037 0.0479528
[root@mrg-qe-10 messaging]# qpid-perftest --count 1 -s --username guest --password guest
24.9295 22.5437 48.7552 0.0476125
[root@mrg-qe-10 messaging]# qpid-perftest --count 1 -s --username guest --password guest --mechanism PLAIN
25.1362 8.1947  24.9686 0.0243834
[root@mrg-qe-10 messaging]# grep SASL ~qpidd/qpidd.log
2013-03-18 11:39:19 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:19 [Security] info SASL: Starting authentication with mechanism: ANONYMOUS
2013-03-18 11:39:19 [Security] info [::1]:5672-[::1]:56975 SASL: Authentication succeeded for: anonymous@QPID
2013-03-18 11:39:19 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:19 [Security] info SASL: Starting authentication with mechanism: ANONYMOUS
2013-03-18 11:39:19 [Security] info [::1]:5672-[::1]:56976 SASL: Authentication succeeded for: anonymous@QPID
2013-03-18 11:39:19 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:19 [Security] info SASL: Starting authentication with mechanism: ANONYMOUS
2013-03-18 11:39:19 [Security] info [::1]:5672-[::1]:56977 SASL: Authentication succeeded for: anonymous@QPID
2013-03-18 11:39:19 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:19 [Security] info SASL: Starting authentication with mechanism: ANONYMOUS
2013-03-18 11:39:19 [Security] info [::1]:5672-[::1]:56978 SASL: Authentication succeeded for: anonymous@QPID
2013-03-18 11:39:36 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:36 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-03-18 11:39:36 [Security] debug SASL: sending challenge to client
2013-03-18 11:39:36 [Security] debug SASL: sending challenge to client
2013-03-18 11:39:36 [Security] info [::1]:5672-[::1]:56979 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:39:36 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:36 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-03-18 11:39:36 [Security] debug SASL: sending challenge to client
2013-03-18 11:39:36 [Security] debug SASL: sending challenge to client
2013-03-18 11:39:36 [Security] info [::1]:5672-[::1]:56980 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:39:36 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:36 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-03-18 11:39:36 [Security] debug SASL: sending challenge to client
2013-03-18 11:39:36 [Security] debug SASL: sending challenge to client
2013-03-18 11:39:36 [Security] info [::1]:5672-[::1]:56981 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:39:36 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:36 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-03-18 11:39:36 [Security] debug SASL: sending challenge to client
2013-03-18 11:39:36 [Security] debug SASL: sending challenge to client
2013-03-18 11:39:36 [Security] info [::1]:5672-[::1]:56982 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:39:47 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:47 [Security] info SASL: Starting authentication with mechanism: PLAIN
2013-03-18 11:39:47 [Security] info [::1]:5672-[::1]:56983 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:39:47 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:47 [Security] info SASL: Starting authentication with mechanism: PLAIN
2013-03-18 11:39:47 [Security] info [::1]:5672-[::1]:56984 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:39:47 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:47 [Security] info SASL: Starting authentication with mechanism: PLAIN
2013-03-18 11:39:47 [Security] info [::1]:5672-[::1]:56985 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:39:47 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:39:47 [Security] info SASL: Starting authentication with mechanism: PLAIN
2013-03-18 11:39:47 [Security] info [::1]:5672-[::1]:56986 SASL: Authentication succeeded for: guest@QPID


------------------------------------- Python spout

[root@mrg-qe-10 messaging]# diff -u /usr/share/doc/python-qpid-0.18/examples/api/spout /usr/share/doc/python-qpid-0.18/examples/api/spout1
--- /usr/share/doc/python-qpid-0.18/examples/api/spout  2012-07-19 11:54:08.000000000 -0400
+++ /usr/share/doc/python-qpid-0.18/examples/api/spout1 2013-03-18 11:29:38.145095468 -0400
@@ -92,6 +92,9 @@
   content = text

 conn = Connection(opts.broker,
+                  username='guest',
+                  password='guest',
+                  sasl_mechanisms='PLAIN',
                   reconnect=opts.reconnect,
                   reconnect_interval=opts.reconnect_interval,
                   reconnect_limit=opts.reconnect_limit)
[root@mrg-qe-10 messaging]# diff -u /usr/share/doc/python-qpid-0.18/examples/api/spout /usr/share/doc/python-qpid-0.18/examples/api/spout2
--- /usr/share/doc/python-qpid-0.18/examples/api/spout  2012-07-19 11:54:08.000000000 -0400
+++ /usr/share/doc/python-qpid-0.18/examples/api/spout2 2013-03-18 11:29:03.826560831 -0400
@@ -92,6 +92,8 @@
   content = text

 conn = Connection(opts.broker,
+                  username='guest',
+                  password='guest',
                   reconnect=opts.reconnect,
                   reconnect_interval=opts.reconnect_interval,
                   reconnect_limit=opts.reconnect_limit)
[root@mrg-qe-10 messaging]#
[root@mrg-qe-10 messaging]#
[root@mrg-qe-10 messaging]# python /usr/share/doc/python-qpid-0.18/examples/api/spout1 "ADDR2; {create:sender}"
Message(properties={'spout-id': 'a6dc4885-87b1-4750-8af9-aa7e4961b528:0'})
[root@mrg-qe-10 messaging]# python /usr/share/doc/python-qpid-0.18/examples/api/spout2 "ADDR2; {create:sender}"
Message(properties={'spout-id': 'db07b2f1-b261-4787-8bcc-d6dd71d5d468:0'})
[root@mrg-qe-10 messaging]# python /usr/share/doc/python-qpid-0.18/examples/api/spout "ADDR2; {create:sender}"
Message(properties={'spout-id': 'dafc56ae-de1d-43b3-bcf0-2a35420c5731:0'})
[root@mrg-qe-10 messaging]# grep SASL ~qpidd/qpidd.log
2013-03-18 11:30:14 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:30:14 [Security] info SASL: Starting authentication with mechanism: PLAIN
2013-03-18 11:30:14 [Security] info [::1]:5672-[::1]:56967 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:30:32 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:30:32 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-03-18 11:30:32 [Security] debug SASL: sending challenge to client
2013-03-18 11:30:32 [Security] debug SASL: sending challenge to client
2013-03-18 11:30:32 [Security] info [::1]:5672-[::1]:56968 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:31:05 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:31:05 [Security] info SASL: Starting authentication with mechanism: ANONYMOUS
2013-03-18 11:31:05 [Security] info [::1]:5672-[::1]:56969 SASL: Authentication succeeded for: anonymous@QPID

------------------------------------- python qpid-config

[root@mrg-qe-10 messaging]# qpid-config
Total Exchanges: 8
          topic: 3
        headers: 1
         fanout: 1
         direct: 3

   Total Queues: 4
        durable: 0
    non-durable: 4
[root@mrg-qe-10 messaging]# qpid-config -b guest/guest@localhost:5672
Total Exchanges: 8
          topic: 3
        headers: 1
         fanout: 1
         direct: 3

   Total Queues: 4
        durable: 0
    non-durable: 4
[root@mrg-qe-10 messaging]# qpid-config -b guest/guest@localhost:5672 --sasl-mechanism=PLAIN
Total Exchanges: 8
          topic: 3
        headers: 1
         fanout: 1
         direct: 3

   Total Queues: 4
        durable: 0
    non-durable: 4
[root@mrg-qe-10 messaging]# grep SASL ~qpidd/qpidd.log
2013-03-18 11:35:35 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:35:35 [Security] info SASL: Starting authentication with mechanism: ANONYMOUS
2013-03-18 11:35:35 [Security] info [::1]:5672-[::1]:56972 SASL: Authentication succeeded for: anonymous@QPID
2013-03-18 11:36:04 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:36:04 [Security] info SASL: Starting authentication with mechanism: DIGEST-MD5
2013-03-18 11:36:04 [Security] debug SASL: sending challenge to client
2013-03-18 11:36:04 [Security] debug SASL: sending challenge to client
2013-03-18 11:36:04 [Security] info [::1]:5672-[::1]:56973 SASL: Authentication succeeded for: guest@QPID
2013-03-18 11:36:29 [Security] info SASL: Mechanism list: ANONYMOUS DIGEST-MD5 PLAIN
2013-03-18 11:36:29 [Security] info SASL: Starting authentication with mechanism: PLAIN
2013-03-18 11:36:29 [Security] info [::1]:5672-[::1]:56974 SASL: Authentication succeeded for: guest@QPID
[root@mrg-qe-10 messaging]#