[jira] [Commented] (ARTEMIS-1386) With enabled kerberos auth, acceptor allows PLAIN auth sasl users in, even when GSSAPI is the only defined sasl mechanism on transport

[Michal Toth (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ARTEMIS-1386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16153586#comment-16153586
 ] 

Michal Toth commented on ARTEMIS-1386:
--------------------------------------

Ok, so AMQP client connected to default 61616 accepts plain user, while 
connecting to 5672 uses only kerberos GSSAPI.
5672 (as expected)
{noformat}
java -jar aac-staging-0.24.0.jar sender --broker amqp://hostname:5672  
--address lalaQ --log-msgs interop --conn-username lala --conn-password lala 
--count 1  --log-lib debug
14:48:44,705 DEBUG 
Connection=amqp://hostname:5672?jms.username=lala&jms.password=lala
14:48:45,430 DEBUG Skipping SASL-GSSAPI mechanism as it must be explicitly 
enabled in the configured sasl mechanisms
14:48:45,430 INFO Best match for SASL auth was: null
14:48:45,431 ERROR Failed to connect to remote at: amqp://hostname:5672
14:48:45,439 DEBUG Shutdown of ExecutorService: 
java.util.concurrent.ScheduledThreadPoolExecutor@6ee52dcd[Terminated, pool size 
= 0, active threads = 0, queued tasks = 0, completed tasks = 3] is shutdown: 
true and terminated: true took: 0.001 seconds.
14:48:45,441 ERROR Could not find a suitable SASL mechanism for the remote peer 
using the available credentials.
javax.jms.JMSSecurityException: Could not find a suitable SASL mechanism for 
the remote peer using the available credentials.
        at 
org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.recordFailure(AmqpSaslAuthenticator.java:154)
        at 
org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.handleSaslInit(AmqpSaslAuthenticator.java:108)
        at 
org.apache.qpid.jms.provider.amqp.AmqpSaslAuthenticator.tryAuthenticate(AmqpSaslAuthenticator.java:61)
        at 
org.apache.qpid.jms.provider.amqp.AmqpProvider.processSaslAuthentication(AmqpProvider.java:954)
        at 
org.apache.qpid.jms.provider.amqp.AmqpProvider.processUpdates(AmqpProvider.java:938)
        at 
org.apache.qpid.jms.provider.amqp.AmqpProvider.access$1800(AmqpProvider.java:101)
        at 
org.apache.qpid.jms.provider.amqp.AmqpProvider$17.run(AmqpProvider.java:789)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
        at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

{noformat}

While connecting to 61616 lets AMQP SASL plain user in (for AMQP connection)
{noformat}
# java -jar aac-staging-0.24.0.jar sender --broker 
amqp://dhcp-145-62.lab.eng.brq.redhat.com:61616  --address lalaQ --log-msgs 
interop --conn-username lala --conn-password lala --count 1  --log-lib debug
14:51:21,094 DEBUG 
Connection=amqp://dhcp-145-62.lab.eng.brq.redhat.com:61616?jms.username=lala&jms.password=lala
14:51:21,829 INFO Best match for SASL auth was: SASL-PLAIN
[1662383289:0] -> Open{ 
containerId='ID:9e62a8f8-be25-46b3-99c8-7e6182bbec92:1', 
hostname='dhcp-145-62.lab.eng.brq.redhat.com', maxFrameSize=1048576, 
channelMax=32767, idleTimeOut=30000, outgoingLocales=null, 
incomingLocales=null, offeredCapabilities=null, 
desiredCapabilities=[sole-connection-for-container], 
properties={product=QpidJMS, version=0.24.0, platform=JVM: 1.8.0_65, 25.65-b01, 
Oracle Corporation, OS: Linux, 3.10.0-229.49.1.el7.x86_64, amd64}}
[1662383289:0] <- Open{ containerId='0.0.0.0', hostname='null', 
maxFrameSize=4294967295, channelMax=65535, idleTimeOut=30000, 
outgoingLocales=null, incomingLocales=null, 
offeredCapabilities=[sole-connection-for-container, DELAYED_DELIVERY, 
SHARED-SUBS, ANONYMOUS-RELAY], desiredCapabilities=null, 
properties={product=apache-activemq-artemis, version=2.3.0-SNAPSHOT}}
[1662383289:0] -> Begin{remoteChannel=null, nextOutgoingId=1, 
incomingWindow=2047, outgoingWindow=2147483647, handleMax=65535, 
offeredCapabilities=null, desiredCapabilities=null, properties=null}
[1662383289:0] <- Begin{remoteChannel=0, nextOutgoingId=1, 
incomingWindow=2147483647, outgoingWindow=2147483647, handleMax=65535, 
offeredCapabilities=null, desiredCapabilities=null, properties=null}
14:51:21,878 DEBUG AmqpConnection { ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1 } 
is now open: 
14:51:21,878 INFO Connection ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1 
connected to remote Broker: amqp://dhcp-145-62.lab.eng.brq.redhat.com:61616
[1662383289:1] -> Begin{remoteChannel=null, nextOutgoingId=1, 
incomingWindow=2047, outgoingWindow=2147483647, handleMax=65535, 
offeredCapabilities=null, desiredCapabilities=null, properties=null}
[1662383289:1] <- Begin{remoteChannel=1, nextOutgoingId=1, 
incomingWindow=2147483647, outgoingWindow=2147483647, handleMax=65535, 
offeredCapabilities=null, desiredCapabilities=null, properties=null}
14:51:21,901 DEBUG Creating AmqpFixedProducer for: lalaQ
[1662383289:1] -> 
Attach{name='qpid-jms:sender:ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1:1:1:lalaQ',
 handle=0, role=SENDER, sndSettleMode=UNSETTLED, rcvSettleMode=FIRST, 
source=Source{address='ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1:1:1', 
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false, 
dynamicNodeProperties=null, distributionMode=null, filter=null, 
defaultOutcome=null, outcomes=[amqp:accepted:list, amqp:rejected:list, 
amqp:released:list, amqp:modified:list], capabilities=null}, 
target=Target{address='lalaQ', durable=NONE, expiryPolicy=SESSION_END, 
timeout=0, dynamic=false, dynamicNodeProperties=null, capabilities=[queue]}, 
unsettled=null, incompleteUnsettled=false, initialDeliveryCount=0, 
maxMessageSize=null, offeredCapabilities=null, desiredCapabilities=null, 
properties=null}
[1662383289:1] <- 
Attach{name='qpid-jms:sender:ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1:1:1:lalaQ',
 handle=0, role=RECEIVER, sndSettleMode=UNSETTLED, rcvSettleMode=FIRST, 
source=Source{address='ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1:1:1', 
durable=NONE, expiryPolicy=SESSION_END, timeout=0, dynamic=false, 
dynamicNodeProperties=null, distributionMode=null, filter=null, 
defaultOutcome=null, outcomes=[amqp:accepted:list, amqp:rejected:list, 
amqp:released:list, amqp:modified:list], capabilities=null}, 
target=Target{address='lalaQ', durable=NONE, expiryPolicy=SESSION_END, 
timeout=0, dynamic=false, dynamicNodeProperties=null, capabilities=[queue]}, 
unsettled=null, incompleteUnsettled=false, initialDeliveryCount=null, 
maxMessageSize=null, offeredCapabilities=null, desiredCapabilities=null, 
properties=null}
[1662383289:1] <- Flow{nextIncomingId=1, incomingWindow=2147483647, 
nextOutgoingId=1, outgoingWindow=2147483647, handle=0, deliveryCount=0, 
linkCredit=1000, available=null, drain=false, echo=false, properties=null}
[1662383289:1] -> Transfer{handle=0, deliveryId=0, deliveryTag=0, 
messageFormat=0, settled=null, more=false, rcvSettleMode=null, state=null, 
resume=false, aborted=false, batchable=false} (131) 
"\x00Sp\xc0\x02\x01A\x00Sr\xc1)\x04\xa3\x0ex-opt-jms-destQ\x00\xa3\x12x-opt-jms-msg-typeQ\x00\x00Ss\xc0I\x0a\xa1/ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1:1:1-1@\xa1\x05lalaQ@@@@@@\x83\x00\x00\x01^R\x18\x5c\xc7"
[1662383289:1] <- Disposition{role=RECEIVER, first=0, last=0, settled=true, 
state=Accepted{}, batchable=false}
{'durable': True, 'priority': 4, 'ttl': 0, 'first-acquirer': False, 
'delivery-count': 0, 'id': '3268ee2a-cf27-405a-9760-13e226b7fcbb:1:1:1-1', 
'user-id': None, 'address': 'lalaQ', 'subject': None, 'reply-to': None, 
'correlation-id': None, 'content-type': None, 'content-encoding': None, 
'absolute-expiry-time': 0, 'creation-time': 1504615881927, 'group-id': None, 
'group-sequence': 0, 'reply-to-group-id': None, 'properties': 
{'JMSXDeliveryCount': 1}, 'content': None}
[1662383289:1] -> End{error=null}
[1662383289:1] <- End{error=null}
14:51:22,017 DEBUG AmqpSession { ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1:1 } 
is now closed: 
[1662383289:0] -> Close{error=null}
[1662383289:0] <- Close{error=null}
14:51:22,022 DEBUG AmqpConnection { ID:3268ee2a-cf27-405a-9760-13e226b7fcbb:1 } 
is now closed: 
14:51:22,022 DEBUG Transport connection remotely closed
14:51:22,025 DEBUG Shutdown of ExecutorService: 
java.util.concurrent.ThreadPoolExecutor@16022d9d[Shutting down, pool size = 1, 
active threads = 0, queued tasks = 0, completed tasks = 1] is shutdown: true 
and terminated: false took: 0.000 seconds.
14:51:22,030 DEBUG Shutdown of ExecutorService: 
java.util.concurrent.ScheduledThreadPoolExecutor@5a4041cc[Terminated, pool size 
= 0, active threads = 0, queued tasks = 0, completed tasks = 18] is shutdown: 
true and terminated: true took: 0.000 seconds.
{noformat}

This is imo a security problem. 

> With enabled kerberos auth, acceptor allows PLAIN auth sasl users in, even 
> when GSSAPI is the only defined sasl mechanism on transport
> --------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-1386
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1386
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: AMQP, Broker
>    Affects Versions: 2.4.0
>         Environment: Artemis built from sources
> last git commit 098d69b63c81d9b2aa2c58c30d921d30472e57f8 (Sept 1)
>            Reporter: Michal Toth
>
> Enable all AMQP authentication & authorization to be performed by GSSAPI 
> (kerberos), so user can send and receive messages w/o problems using kerberos 
> credentials.
> Define broker amqp acceptor to accept only GSSAPI auth mechanism.
> {noformat}
> <acceptor 
> name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;saslMechanisms=GSSAPI;saslLoginConfigScope=mykerberos</acceptor>
> {noformat}
> Users authentication over PLAIN sasl mechanism should not be allowed it. Only 
> Kerberized ones. This is not working actually.
> I am able to send/receive a message using plain over AMQP, with such defined 
> saslMechanisms as above. 
> login.config
> {noformat}
> activemq {
>  org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional
>        debug=true;
>  org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule 
> sufficient
>        debug=true
>        reload=true
>        org.apache.activemq.jaas.properties.user="artemis-users.properties"
>        org.apache.activemq.jaas.properties.role="artemis-roles.properties";
> };
> mykerberos {
>     com.sun.security.auth.module.Krb5LoginModule required
>     isInitiator=false
>     storeKey=true
>     useKeyTab=true
>     keyTab="/opt/amqp-service.keytab"
>     principal="amqp/hostn...@my.realm.com"
>     debug=true;
> };
> {noformat}
> {noformat}
> users properties
> admin = 
> ENC(1024:31461C31F100DA2D4363030BD70AB79BD1693552737AB4951B9B733770B60F40:B97C0DE92D4C0A17C2FE572E206A8F8806EFDFEBA456ED96AC1570E12E3F1BEC8314FA9744AC7EFD95DA939FACA2EA829CF3F46C96268F6B9140C74A2E1EE4D3)
> lala = lala
> ---
> roles.properties
> amq = admin,al...@mqe.redhat.com,lala
> readers = b...@mqe.redhat.com
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)