[
https://issues.apache.org/jira/browse/QPID-3337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
michael j. goulish resolved QPID-3337.
--------------------------------------
Resolution: Fixed
checkin 1143536 .
> eliminate guest/guest default username/password and use an explicit sasl
> mechanism list
> ---------------------------------------------------------------------------------------
>
> Key: QPID-3337
> URL: https://issues.apache.org/jira/browse/QPID-3337
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Reporter: michael j. goulish
> Assignee: michael j. goulish
> Fix For: 0.14
>
>
> Currently, we default to using the system-default sasl mechanisms list. That
> list will include GSSAPI if the package is installed on the user's system.
> But
> merely installing the GSSAPI package does not prepare qpidd to use GSSAPI.
> The
> user must perform specific config steps to make it work. And, since GSSAPI
> will be selected before other mechanisms, this means that many users will see
> qpidd fail as soon as they try --auth=yes .
> It also seems dangerous to allow PLAIN, since users who install qpidd will
> then
> have an insecure system by default.
> By accepting the system-default list we are allowing too many user-surprises.
> The solution is to explicitly control the mech list, probably only allowing a
> single mechanism such as DIGEST-MD5, and give the user sufficient instruction
> on how to set up other mechanisms when they are desired.
> NOTE -- I am also allowing ANONYMOUS, because some python tools do not yet
> know how to send credentials, and this will allow them to continue working.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
