[ https://issues.apache.org/jira/browse/QPID-3337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
michael j. goulish resolved QPID-3337. -------------------------------------- Resolution: Fixed checkin 1143536 . > eliminate guest/guest default username/password and use an explicit sasl > mechanism list > --------------------------------------------------------------------------------------- > > Key: QPID-3337 > URL: https://issues.apache.org/jira/browse/QPID-3337 > Project: Qpid > Issue Type: Bug > Components: C++ Broker > Reporter: michael j. goulish > Assignee: michael j. goulish > Fix For: 0.14 > > > Currently, we default to using the system-default sasl mechanisms list. That > list will include GSSAPI if the package is installed on the user's system. > But > merely installing the GSSAPI package does not prepare qpidd to use GSSAPI. > The > user must perform specific config steps to make it work. And, since GSSAPI > will be selected before other mechanisms, this means that many users will see > qpidd fail as soon as they try --auth=yes . > It also seems dangerous to allow PLAIN, since users who install qpidd will > then > have an insecure system by default. > By accepting the system-default list we are allowing too many user-surprises. > The solution is to explicitly control the mech list, probably only allowing a > single mechanism such as DIGEST-MD5, and give the user sufficient instruction > on how to set up other mechanisms when they are desired. > NOTE -- I am also allowing ANONYMOUS, because some python tools do not yet > know how to send credentials, and this will allow them to continue working. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org