[
https://issues.apache.org/jira/browse/PROTON-2124?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jiri Daněk updated PROTON-2124:
-------------------------------
Description:
I've noticed two additional kerberos sasl mechanisms that aren't blacklisted
bq. [0xb80670]:0 <- @sasl-mechanisms(64)
[sasl-server-mechanisms=@PN_SYMBOL[:"GS2-IAKERB", :"GS2-KRB5", :"SCRAM-SHA-1",
:"SCRAM-SHA-256", :GSSAPI, :"GSS-SPNEGO", :"DIGEST-MD5", :OTP, :"CRAM-MD5",
:ANONYMOUS]]
They are GS2-IAKERB and GS2-KRB5. The GS2-KRB5 is the problematic one, allowing
GS2-IAKERB does not stop proton from trying ANONYMOUS eventually.
When GS2-KRB5 is enabled, I get this failure instead (in ctest tests, test 23,
or when connecting {{sender}} example to {{broker}} example)
bq. 23: amqp:unauthorized-access: SASL(-1): generic failure: GS2 Error:
Unspecified GSS failure. Minor code may provide more information (Ticket
expired) (Authentication failed [mech=none])
I think those must be new. They appear on macOS, or if I install all cyrus-sasl
packages on RHEL 7.7 or RHEL 8.1.
was:
Disable GSSAPI and GSS-SPNEGO SASL mechanisms if they are not explicitly
enabled. See [this
comment|https://issues.apache.org/jira/browse/PROTON-1354?focusedCommentId=16528272&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16528272]
below for more details on enabling the mechanisms again.
> Disable GS2-KRB5 SASL mechanism if it is not explicitly enabled
> ---------------------------------------------------------------
>
> Key: PROTON-2124
> URL: https://issues.apache.org/jira/browse/PROTON-2124
> Project: Qpid Proton
> Issue Type: Improvement
> Components: proton-c
> Reporter: Jiri Daněk
> Assignee: Andrew Stitcher
> Priority: Major
> Labels: release-notes, sasl, usability
> Fix For: proton-c-0.24.0
>
>
> I've noticed two additional kerberos sasl mechanisms that aren't blacklisted
> bq. [0xb80670]:0 <- @sasl-mechanisms(64)
> [sasl-server-mechanisms=@PN_SYMBOL[:"GS2-IAKERB", :"GS2-KRB5",
> :"SCRAM-SHA-1", :"SCRAM-SHA-256", :GSSAPI, :"GSS-SPNEGO", :"DIGEST-MD5",
> :OTP, :"CRAM-MD5", :ANONYMOUS]]
> They are GS2-IAKERB and GS2-KRB5. The GS2-KRB5 is the problematic one,
> allowing GS2-IAKERB does not stop proton from trying ANONYMOUS eventually.
> When GS2-KRB5 is enabled, I get this failure instead (in ctest tests, test
> 23, or when connecting {{sender}} example to {{broker}} example)
> bq. 23: amqp:unauthorized-access: SASL(-1): generic failure: GS2 Error:
> Unspecified GSS failure. Minor code may provide more information (Ticket
> expired) (Authentication failed [mech=none])
> I think those must be new. They appear on macOS, or if I install all
> cyrus-sasl packages on RHEL 7.7 or RHEL 8.1.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
