Red Hat Bugzilla – Bug 846465
sasl mech list overhaul
Last modified: 2015-11-15 20:14:13 EST
1. change default sasl mech list to ANONYMOUS, DIGEST-MD5, EXTERNAL, PLAIN 2. do not allow updates to destabilize existing systems. 3. add comment in config file describing how to enable GSSAPI & DIGEST-MD5. 4. publish release not describing changes, including that GSSAPI is not enabled by default, & how to enable. 5. review documentation & write changes where necessary / useful. 6. review log messages in this area to see if they can be made more informative upon auth failure.
This is Jira QPID-4244 .
(In reply to comment #4) > This is Jira QPID-4244 . I believe the link is broken. This is the correct one: https://issues.apache.org/jira/browse/QPID-4244
Committed revision 1376958. This ended up being a very small change -- no improvement in log messages. No need to change spec file that generates packages. Just expanding the list in /etc/sasl2/qpidd.conf , and improving the comments a little.
Sorry to say, but bug 846465 is much more than QPID-4244 due to comment 0. See detailed QA feedback inlined... (In reply to comment #0) > 1. change default sasl mech list to ANONYMOUS, DIGEST-MD5, EXTERNAL, PLAIN > change[s] done and ok > 2. do not allow updates to destabilize existing systems. > testing is ongoing, so far so good > 3. add comment in config file describing how to enable GSSAPI & > DIGEST-MD5. > change was NOT done as further commands clarify: [root@dhcp-x ~]# grep -i gssa /etc/sasl2/qpidd.conf [root@dhcp-x ~]# grep -i krb /etc/sasl2/qpidd.conf [root@dhcp-x ~]# rpm -qf /etc/sasl2/qpidd.conf qpid-cpp-server-0.18-9.el5 > 4. publish release not describing changes, including that GSSAPI is not > enabled by default, & how to enable. > release note requested, but defect is not yet carrying it (in ON_QA state which is wrong) > 5. review documentation & write changes where necessary / useful. > not done, lacking info in Messaging_Installation_and_Configuration_Guide -> Simple Authentication and Security Layer - SASL -> Configure Kerberos 5 and possibly also in Messaging_Installation_and_Configuration_Guide -> Simple Authentication and Security Layer - SASL -> Configure SASL using a Local Password File In above chapters it is needed to discuss effect[s] of /etc/sasl2/qpidd.conf file modifications (to narrow / enable different SASL mechanisms). tracked now as bug 877469 > 6. review log messages in this area to see if they can be made more > informative upon auth failure. skipped, not part of this defect anymore -> ASSIGNED (3., 4., 5.)
The to-do list in comment #1 was not meant to be normative -- it only reflected my (imperfect) understanding of the task when I started. The much more limited change that I actually made is what I believe was desired by management by the end of this small effort. ( Please confirm with jross. ) How should I best handle this? If it would be better, I could close this bug as "will not fix" and open a new one with corrected requirements.
(In reply to comment #10) > The to-do list in comment #1 was not meant to be normative -- it only > reflected my (imperfect) understanding of the task when I started. > > The much more limited change that I actually made is what I believe was > desired by management by the end of this small effort. ( Please confirm > with jross. ) > > How should I best handle this? If it would be better, I could close this > bug as "will not fix" and open a new one with corrected requirements. Hello Mick. Thanks for your comment! I already stripped out point 6] based on your later comments. I'm fine to track 5] separately (even w/o bz dependency link). The remaining points (3] and 4]) should be done in my view which means: point 3] - additional chapter needs to be added to sasl qpidd.conf point 4] - release note text needs to be created Could you try to summarize what is current content of the defect then, please? Based on your list I'll be able to finish this defect.
(In reply to comment #11) > I already stripped out point 6] based on your later comments. > I'm fine to track 5] separately (even w/o bz dependency link). > The remaining points (3] and 4]) should be done in my view which means: > point 3] - additional chapter needs to be added to sasl qpidd.conf > point 4] - release note text needs to be created I agree that 3 and 4 should be handled in the context of this bz.
I pushed this branch: 0.18-mrg-mick-846465 about 0900 4 Dec with two small changes ( comments only ) to the config files /etc/qpidd.conf , and /etc/sasl2/qpidd.conf
*** Bug 716523 has been marked as a duplicate of this bug. ***
*** Bug 815482 has been marked as a duplicate of this bug. ***
The default list of SASL mechanisms changed, /etc/sasl2/qpidd.confhas correctly updated. Details: > 1. change default sasl mech list to ANONYMOUS, DIGEST-MD5, EXTERNAL, PLAIN > change[s] done and ok > 2. do not allow updates to destabilize existing systems. > Testing found no destabilization. > 3. add comment in config file describing how to enable GSSAPI & > DIGEST-MD5. > comments in /etc/qpidd.conf , and /etc/sasl2/qpidd.conf are ok. > 4. publish release not describing changes, including that GSSAPI is not > enabled by default, & how to enable. > release note ok. > 5. review documentation & write changes where necessary / useful. > tracked now as bug 877469 > 6. review log messages in this area to see if they can be made more > informative upon auth failure. skipped, not part of this defect anymore Tested on RHEL5.9 / 6.4b i[36]86 / x86_64 on packages: [root@dhcp-27-156 bz805881]# rpm -qa | grep qpid | sort python-qpid-0.18-4.el5 python-qpid-qmf-0.18-13.el5 qpid-cpp-client-0.18-13.el5 qpid-cpp-client-devel-0.18-13.el5 qpid-cpp-client-devel-docs-0.18-13.el5 qpid-cpp-client-rdma-0.18-13.el5 qpid-cpp-client-ssl-0.18-13.el5 qpid-cpp-mrg-debuginfo-0.18-13.el5 qpid-cpp-server-0.18-13.el5 qpid-cpp-server-cluster-0.18-13.el5 qpid-cpp-server-devel-0.18-13.el5 qpid-cpp-server-rdma-0.18-13.el5 qpid-cpp-server-ssl-0.18-13.el5 qpid-cpp-server-store-0.18-13.el5 qpid-cpp-server-xml-0.18-13.el5 qpid-java-client-0.18-6.el5 qpid-java-common-0.18-6.el5 qpid-java-example-0.18-6.el5 qpid-jca-0.18-6.el5 qpid-jca-xarecovery-0.18-6.el5 qpid-jca-zip-0.18-6.el5 qpid-qmf-0.18-13.el5 qpid-qmf-debuginfo-0.18-13.el5 qpid-qmf-devel-0.18-13.el5 qpid-tests-0.18-2.el5 qpid-tools-0.18-7.el5 rh-qpid-cpp-tests-0.18-13.el5 ruby-qpid-qmf-0.18-13.el5 This defect is considered as verified. Available documentation (bug 877469) is the last condition which blocks state change.
Documentation (bug 877469) available and ok. -> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0561.html