[jira] [Commented] (DISPATCH-472) Default value of authenticatePeer parameter in listener configuration

Fri, 12 Aug 2016 06:47:50 -0700 

    [ 
https://issues.apache.org/jira/browse/DISPATCH-472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15418847#comment-15418847
 ] 

Alan Conway commented on DISPATCH-472:
--------------------------------------

Just a reminder here: if we make security defaults more restrictive it is 
important to verify a reasonable experience for a developer who does not (yet) 
care about security. If someone installs dispatch, runs it with the default 
config and runs our tools that should either Just Work OR gives a very clear 
error message including an easy way to make it work (e.g. an insecure example 
conf that can easily be copied over the secure default conf)

> Default value of authenticatePeer parameter in listener configuration
> ---------------------------------------------------------------------
>
>                 Key: DISPATCH-472
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-472
>             Project: Qpid Dispatch
>          Issue Type: Improvement
>            Reporter: Jakub Scholz
>
> The authenticatePeer parameter in listener configuration has currently 
> default value "no". I believe this can lead to misunderstandings causing 
> security issues. Consider listener configured as this:
> {code}
> listener { 
>     role: normal 
>     host: 0.0.0.0 
>     port: amqp 
>     saslMechanisms: PLAIN DIGEST-MD5 CRAM-MD5 
> } 
> {code}
> It has configured SASL authentication using username and password and on a 
> first look one might believe that such listener is configured properly. 
> However, because of missing "authenticatePeer: yes" parameter, it is still 
> possible to connect anonymously without the SASL layer.
> I believe it would be much better to have either set authenticatePeer 
> parameter to yes by default all the time or at least when SASL is configured.
> Please have a look at the related discussion from the mailing list:
> http://qpid.2158936.n2.nabble.com/Dispatch-Default-value-of-authenticatePeer-td7648676.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to