Bug 716523 - use an explicit sasl mechanism list
use an explicit sasl mechanism list
Status: CLOSED DUPLICATE of bug 846465
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
Development
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: mick
MRG Quality Engineering
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-24 14:43 EDT by mick
Modified: 2012-12-07 13:23 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-07 13:23:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache JIRA QPID-3337 None None None Never

  None (edit)
Description mick 2011-06-24 14:43:48 EDT
Currently, we default to using the system-default sasl mechanisms list.  That list will include GSSAPI if the package is installed on the user's system.  But merely installing the GSSAPI package does not prepare qpidd to use GSSAPI.  The user must perform specific config steps to make it work.  And, since GSSAPI will be selected before other mechanisms, this means that many users will see qpidd fail as soon as they try  --auth=yes  .

It also seems dangerous to allow PLAIN, since users who install qpidd will then have an insecure system by default.

By accepting the system-default list we are allowing too many user-surprises.

The solution is to explicitly control the mech list, probably only allowing a single mechanism such as DIGEST-MD5, and give the user sufficient instruction on how to set up other mechanisms when they are desired.
Comment 1 mick 2011-07-06 16:14:55 EDT
JIRA 3337
Comment 2 Justin Ross 2012-12-07 13:23:34 EST

*** This bug has been marked as a duplicate of bug 846465 ***

Note You need to log in before you can comment on or make changes to this bug.