RE: Is it normal to have to turn SASL off to get qpid-config and qpid-stat to work with SSL?

Jeff Donner Fri, 12 Aug 2016 19:40:51 -0700

> For EXTERNAL, you need to have the swigged wrapper for cyrus-sasl[1]. If
> you don't have that, that could explain why EXTERNAL doesn't work. What
> error do you get if you try to use EXTERNAL?


It /looks/ like I should have those ... 

  etc$ rpm -qa | grep sasl | sort
  cyrus-sasl-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-debuginfo-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-devel-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-gssapi-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-lib-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-md5-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-plain-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-scram-2.1.26-25.2.fc23.x86_64
  libgsasl-1.8.0-6.fc23.x86_64
  libgsasl-devel-1.8.0-6.fc23.x86_64
  python-saslwrapper-0.16-11.fc23.x86_64
  saslwrapper-0.16-11.fc23.x86_64

###################################################
# Full SASL and SSL

ssl-best$ cat ssl-qpidd.conf | grep -v '#' | uniq
require-encryption=yes
ssl-cert-db=ssl_certs/server_db
ssl-cert-password-file=ssl_certs/server_db_password
ssl-cert-name=test_server
ssl-use-export-policy=yes
ssl-require-client-authentication=yes
auth=yes
sasl-config=/etc/sasl2
ssl-sasl-no-dict=yes
trace=yes
log-disable=trace:Management
log-disable=debug:Management
log-enable=notice+
log-enable=trace+:Protocol
ssl-port=5671

sasl2$ cat /etc/sasl2/qpidd.conf | grep -v '#' | uniq
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasldb2
mech_list: EXTERNAL DIGEST-MD5 PLAIN
sql_select: dummy select

sasl2$ sudo sasldblistusers2 /etc/sasldb2
[sudo] password for jdonner: 
jgd@QPID: userPassword -- (password is donner)


ssl-best$ qpidd --conf ssl-qpidd.conf            
2016-08-12 17:01:30 [Broker] notice Broker (pid=4058) start-up
2016-08-12 17:01:30 [Model] trace Mgmt create memory. id:amqp-broker
2016-08-12 17:01:30 [Broker] info Management enabled
2016-08-12 17:01:30 [Management] info ManagementAgent restored broker ID: 
f390a428-3c91-4255-a327-55b4a3fb7570
2016-08-12 17:01:30 [Model] trace Mgmt create system. 
id:d9ae84c5-a943-4446-bf05-1ca543f0d34f
2016-08-12 17:01:30 [Model] trace Mgmt create broker. id:amqp-broker
2016-08-12 17:01:30 [Model] trace Mgmt create vhost. 
id:org.apache.qpid.broker:broker:amqp-broker,/
2016-08-12 17:01:30 [Broker] info Loaded protocol amqp1.0
2016-08-12 17:01:30 [Model] trace Mgmt create exchange. id:
....
2016-08-12 17:01:30 [Model] trace Mgmt create exchange. id:qmf.default.direct
2016-08-12 17:01:30 [Security] info SASL: config path set to /etc/sasl2
2016-08-12 17:01:30 [Broker] info SASL enabled
2016-08-12 17:01:30 [Network] debug No Socket fd specified
2016-08-12 17:01:30 [Model] trace Mgmt create acl. 
id:org.apache.qpid.broker:broker:amqp-broker
2016-08-12 17:01:30 [Security] debug ACL loaded empty rule set
2016-08-12 17:01:30 [Security] info ACL Plugin loaded
2016-08-12 17:01:30 [Security] trace Initialising SSL plugin
2016-08-12 17:01:30 [Network] debug Using interface: 
2016-08-12 17:01:30 [Network] info Listening to: 0.0.0.0:5671
2016-08-12 17:01:30 [Network] debug Listened to: 5671
2016-08-12 17:01:30 [Network] info Listening to: [::]:5671
2016-08-12 17:01:30 [Network] debug Listened to: 5671
2016-08-12 17:01:30 [Security] notice Listening for SSL connections on TCP/TCP6 
port 5671
2016-08-12 17:01:30 [Network] debug Using interface: 
2016-08-12 17:01:30 [Network] info Listening to: 0.0.0.0:5672
2016-08-12 17:01:30 [Network] debug Listened to: 5672
2016-08-12 17:01:30 [Network] info Listening to: [::]:5672
2016-08-12 17:01:30 [Network] debug Listened to: 5672
2016-08-12 17:01:30 [Network] notice Listening on TCP/TCP6 port 5672
2016-08-12 17:01:30 [Broker] info Broker (pid=4058) initialized
2016-08-12 17:01:30 [Broker] info Broker (pid=4058) running

# client
ssl-best$ qpid-config --broker=amqps://jgd/donner@localhost:5671 
--ssl-certificate=ssl_certs/client/tclient-certificate.pem 
--ssl-key=ssl_certs/tclient-unencrypted-private.key
Failed: ConnectionError: connection-forced: Authentication failed(320)

# qpidd response:
2016-08-12 17:01:38 [Network] trace Accepting SSL connection.
2016-08-12 17:01:38 [Network] info Set TCP_NODELAY on connection to [::1]:59398
2016-08-12 17:01:38 [Network] trace Accepting SSL connection.
2016-08-12 17:01:38 [System] debug RECV [qpid.[::1]:5671-[::1]:59398]: 
INIT(0-10)
2016-08-12 17:01:38 [Security] debug External ssf=128 and auth=test_client
2016-08-12 17:01:38 [Security] debug min_ssf: 0, max_ssf: 0, external_ssf: 128
2016-08-12 17:01:38 [Security] debug external auth detected and set to 
test_client
2016-08-12 17:01:38 [Security] info SASL: Mechanism list: EXTERNAL
2016-08-12 17:01:38 [Broker] debug LinkRegistry::notifyConnection(); 
key=qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Security] trace ACL ConnectionCounter new connection: 
qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Model] trace Mgmt create connection. 
id:qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: 
INIT(0-10)
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: 
Frame[BEbe; channel=0; {ConnectionStartBody: 
server-properties={host:V2:7:str16(sidecar),platform:V2:5:str16(Linux),product:V2:8:str16(qpid-cpp),qpid.federation_tag:V2:36:str16(f390a428-3c91-4255-a327-55b4a3fb7570),version:V2:4:str16(0.34)};
 mechanisms=str16{V2:8:str16(EXTERNAL)}; locales=str16{V2:5:str16(en_US)}; }]
2016-08-12 17:01:38 [Protocol] trace RECV [qpid.[::1]:5671-[::1]:59398]: 
Frame[BEbe; channel=0; {ConnectionStartOkBody: 
client-properties={platform:V2:5:str16(posix),product:V2:18:str16(qpid python 
client),qpid.client_pid:F8:int64(4067),qpid.client_ppid:F8:int64(2058),qpid.client_process:V2:11:str16(qpid-config),version:V2:11:str16(development)};
 mechanism=EXTERNAL; response=xxxxxx; }]
2016-08-12 17:01:38 [Security] info SASL: Starting authentication with 
mechanism: EXTERNAL
2016-08-12 17:01:38 [Security] info SASL: Authentication failed for 
jgd@QPID:SASL(-13): authentication failure: Requested identity not 
authenticated identity
2016-08-12 17:01:38 [System] debug Exception constructed: Authentication failed
2016-08-12 17:01:38 [Model] debug Failed connection. 
rhost:qpid.[::1]:5671-[::1]:59398 user:jgd@QPID reason:SASL(-13): 
authentication failure: Requested identity not authenticated identity
2016-08-12 17:01:38 [Protocol] error Connection qpid.[::1]:5671-[::1]:59398 
closed by error: connection-forced: Authentication failed(320)
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: 
Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=320; 
reply-text=connection-forced: Authentication failed; }]
2016-08-12 17:01:38 [Model] trace Mgmt destroying connection. 
id:qpid.[::1]:5671-[::1]:59398 Statistics: {bytesFromClient:193, 
bytesToClient:59, closing:False, framesFromClient:1, framesToClient:1, 
msgsFromClient:0, msgsToClient:0}
2016-08-12 17:01:38 [Model] debug Delete connection. user: 
rhost:qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Security] trace ACL ConnectionCounter closed: 
qpid.[::1]:5671-[::1]:59398, userId:



#####################################################
# Without SSL:

ssl-best$ cat sasl-no-ssl-no-encrypt.conf | grep -v '#' | uniq
require-encryption=no
auth=yes
sasl-config=/etc/sasl2
trace=yes
log-disable=trace:Management
log-disable=debug:Management
log-enable=notice+
log-enable=trace+:Protocol
port=5672


ssl-best$ qpidd --conf sasl-no-ssl-no-encrypt.conf
2016-08-12 17:13:34 [Broker] notice Broker (pid=4164) start-up
2016-08-12 17:13:34 [Model] trace Mgmt create memory. id:amqp-broker
2016-08-12 17:13:34 [Broker] info Management enabled
2016-08-12 17:13:34 [Management] info ManagementAgent restored broker ID: 
f390a428-3c91-4255-a327-55b4a3fb7570
2016-08-12 17:13:34 [Model] trace Mgmt create system. 
id:d9ae84c5-a943-4446-bf05-1ca543f0d34f
2016-08-12 17:13:34 [Model] trace Mgmt create broker. id:amqp-broker
2016-08-12 17:13:34 [Model] trace Mgmt create vhost. 
id:org.apache.qpid.broker:broker:amqp-broker,/
2016-08-12 17:13:34 [Security] notice SSL plugin not enabled, you must set 
--ssl-cert-db to enable it.
2016-08-12 17:13:34 [Broker] info Loaded protocol amqp1.0
2016-08-12 17:13:34 [Model] trace Mgmt create exchange. id:
...
2016-08-12 17:13:34 [Model] trace Mgmt create exchange. id:qmf.default.direct
2016-08-12 17:13:34 [Security] info SASL: config path set to /etc/sasl2
2016-08-12 17:13:34 [Broker] info SASL enabled
2016-08-12 17:13:34 [Network] debug No Socket fd specified
2016-08-12 17:13:34 [Model] trace Mgmt create acl. 
id:org.apache.qpid.broker:broker:amqp-broker
2016-08-12 17:13:34 [Security] debug ACL loaded empty rule set
2016-08-12 17:13:34 [Security] info ACL Plugin loaded
2016-08-12 17:13:34 [Security] trace Initialising SSL plugin
2016-08-12 17:13:34 [Network] debug Using interface: 
2016-08-12 17:13:34 [Network] info Listening to: 0.0.0.0:5672
2016-08-12 17:13:34 [Network] debug Listened to: 5672
2016-08-12 17:13:34 [Network] info Listening to: [::]:5672
2016-08-12 17:13:34 [Network] debug Listened to: 5672
2016-08-12 17:13:34 [Network] notice Listening on TCP/TCP6 port 5672
2016-08-12 17:13:34 [Broker] info Broker (pid=4164) initialized
2016-08-12 17:13:34 [Broker] info Broker (pid=4164) running

# client:
ssl-best$ qpid-config --broker=amqp://jgd/donner@localhost:5672 
--sasl-mechanism=PLAIN
Failed: ConnectionError: connection-forced: Authentication failed(320)

# qpidd response:
2016-08-12 17:13:49 [Network] info Set TCP_NODELAY on connection to [::1]:39648
2016-08-12 17:13:49 [System] debug RECV [qpid.[::1]:5672-[::1]:39648]: 
INIT(0-10)
2016-08-12 17:13:49 [Security] debug External ssf=0 and auth=
2016-08-12 17:13:49 [Security] debug min_ssf: 0, max_ssf: 256, external_ssf: 0
2016-08-12 17:13:49 [Security] info SASL: Mechanism list: DIGEST-MD5 PLAIN
2016-08-12 17:13:49 [Broker] debug LinkRegistry::notifyConnection(); 
key=qpid.[::1]:5672-[::1]:39648
2016-08-12 17:13:49 [Security] trace ACL ConnectionCounter new connection: 
qpid.[::1]:5672-[::1]:39648
2016-08-12 17:13:49 [Model] trace Mgmt create connection. 
id:qpid.[::1]:5672-[::1]:39648
2016-08-12 17:13:49 [Protocol] trace SENT [qpid.[::1]:5672-[::1]:39648]: 
INIT(0-10)
2016-08-12 17:13:49 [Protocol] trace SENT [qpid.[::1]:5672-[::1]:39648]: 
Frame[BEbe; channel=0; {ConnectionStartBody: 
server-properties={host:V2:7:str16(sidecar),platform:V2:5:str16(Linux),product:V2:8:str16(qpid-cpp),qpid.federation_tag:V2:36:str16(f390a428-3c91-4255-a327-55b4a3fb7570),version:V2:4:str16(0.34)};
 mechanisms=str16{V2:10:str16(DIGEST-MD5), V2:5:str16(PLAIN)}; 
locales=str16{V2:5:str16(en_US)}; }]
2016-08-12 17:13:49 [Protocol] trace RECV [qpid.[::1]:5672-[::1]:39648]: 
Frame[BEbe; channel=0; {ConnectionStartOkBody: 
client-properties={platform:V2:5:str16(posix),product:V2:18:str16(qpid python 
client),qpid.client_pid:F8:int64(4171),qpid.client_ppid:F8:int64(2058),qpid.client_process:V2:11:str16(qpid-config),version:V2:11:str16(development)};
 mechanism=PLAIN; response=xxxxxx; }]
2016-08-12 17:13:49 [Security] info SASL: Starting authentication with 
mechanism: PLAIN
2016-08-12 17:13:49 [Security] info SASL: Authentication failed for 
jgd@QPID:SASL(-1): generic failure: Password verification failed
2016-08-12 17:13:49 [System] debug Exception constructed: Authentication failed
2016-08-12 17:13:49 [Model] debug Failed connection. 
rhost:qpid.[::1]:5672-[::1]:39648 user:jgd@QPID reason:SASL(-1): generic 
failure: Password verification failed
2016-08-12 17:13:49 [Protocol] error Connection qpid.[::1]:5672-[::1]:39648 
closed by error: connection-forced: Authentication failed(320)
2016-08-12 17:13:49 [Protocol] trace SENT [qpid.[::1]:5672-[::1]:39648]: 
Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=320; 
reply-text=connection-forced: Authentication failed; }]
2016-08-12 17:13:49 [Model] trace Mgmt destroying connection. 
id:qpid.[::1]:5672-[::1]:39648 Statistics: {bytesFromClient:201, 
bytesToClient:59, closing:False, framesFromClient:1, framesToClient:1, 
msgsFromClient:0, msgsToClient:0}
2016-08-12 17:13:49 [Model] debug Delete connection. user: 
rhost:qpid.[::1]:5672-[::1]:39648
2016-08-12 17:13:49 [Security] trace ACL ConnectionCounter closed: 
qpid.[::1]:5672-[::1]:39648, userId:


######################################################
# C++ Proton 0.12.2 client

// parts of interest
class sasl_plain_client : public proton::handler {
 private:
  proton::url url;
  server_handler s_handler;

 public:
  sasl_plain_client(const proton::url &u) : url(u) {}

  void on_start(proton::event &e) {
    connection_options client_opts;
    client_opts.allowed_mechs("PLAIN").
      allow_insecure_mechs(true).
      sasl_config_path("/etc/sasl2/qpidd.conf");
    e.container().client_connection_options(client_opts);

    std::cout << "url:>" << url << "<" << std::endl;
    e.container().open_sender(url);
  }

  void on_sendable(proton::event &e) {
    proton::message m;
    m.body("Hello World!");
    e.sender().send(m);
    e.sender().close();
  }
};

// ./sasl-plain-client-broker

int main(int argc, char **argv) {
  try {
    proton::url my_url;
    my_url.scheme("amqp");
    my_url.username("jgd");
    my_url.password("donner");
    my_url.host("localhost");
    my_url.port("5672");

    sasl_plain_client my_client(my_url);
    proton::container(my_client).run();
...


ssl-best$ qpidd --conf sasl-no-ssl-no-encrypt.conf
2016-08-12 19:19:15 [Broker] notice Broker (pid=6924) start-up
2016-08-12 19:19:15 [Model] trace Mgmt create memory. id:amqp-broker
2016-08-12 19:19:15 [Broker] info Management enabled
2016-08-12 19:19:15 [Management] info ManagementAgent restored broker ID: 
f390a428-3c91-4255-a327-55b4a3fb7570
2016-08-12 19:19:15 [Model] trace Mgmt create system. 
id:d9ae84c5-a943-4446-bf05-1ca543f0d34f
2016-08-12 19:19:15 [Model] trace Mgmt create broker. id:amqp-broker
2016-08-12 19:19:15 [Model] trace Mgmt create vhost. 
id:org.apache.qpid.broker:broker:amqp-broker,/
2016-08-12 19:19:15 [Security] notice SSL plugin not enabled, you must set 
--ssl-cert-db to enable it.
2016-08-12 19:19:15 [Broker] info Loaded protocol amqp1.0
2016-08-12 19:19:15 [Model] trace Mgmt create exchange. id:
....
2016-08-12 19:19:15 [Model] trace Mgmt create exchange. id:qmf.default.direct
2016-08-12 19:19:15 [Security] info SASL: config path set to /etc/sasl2
2016-08-12 19:19:15 [Broker] info SASL enabled
2016-08-12 19:19:15 [Network] debug No Socket fd specified
2016-08-12 19:19:15 [Model] trace Mgmt create acl. 
id:org.apache.qpid.broker:broker:amqp-broker
2016-08-12 19:19:15 [Security] debug ACL loaded empty rule set
2016-08-12 19:19:15 [Security] info ACL Plugin loaded
2016-08-12 19:19:15 [Security] trace Initialising SSL plugin
2016-08-12 19:19:15 [Network] debug Using interface: 
2016-08-12 19:19:15 [Network] info Listening to: 0.0.0.0:5672
2016-08-12 19:19:15 [Network] debug Listened to: 5672
2016-08-12 19:19:15 [Network] info Listening to: [::]:5672
2016-08-12 19:19:15 [Network] debug Listened to: 5672
2016-08-12 19:19:15 [Network] notice Listening on TCP/TCP6 port 5672
2016-08-12 19:19:15 [Broker] info Broker (pid=6924) initialized
2016-08-12 19:19:15 [Broker] info Broker (pid=6924) running


# client -- why is it writing the username + password jgd:donner instead of 
jgd/donner? Is it suspicious?
ssl-best$ ./sasl-plain-client-broker 
url:>amqp://jgd:donner@localhost:5672<
amqp:unauthorized-access: Authentication failed [mech=PLAIN]


# qpidd response:
2016-08-12 19:19:21 [Network] info Set TCP_NODELAY on connection to [::1]:39892
2016-08-12 19:19:21 [System] debug RECV [qpid.[::1]:5672-[::1]:39892]: INIT(1-0)
2016-08-12 19:19:21 [Broker] info Using AMQP 1.0 (with SASL layer)
2016-08-12 19:19:21 [Security] debug External ssf=0 and auth=
2016-08-12 19:19:21 [Security] debug min_ssf: 0, max_ssf: 256, external_ssf: 0
2016-08-12 19:19:21 [Model] trace Mgmt create connection. 
id:qpid.[::1]:5672-[::1]:39892
2016-08-12 19:19:21 [Security] trace ACL ConnectionCounter new connection: 
qpid.[::1]:5672-[::1]:39892
2016-08-12 19:19:21 [Security] info SASL: Mechanism list: DIGEST-MD5 PLAIN
2016-08-12 19:19:21 [Security] trace Completed encoding of frame of 41 bytes
2016-08-12 19:19:21 [Protocol] debug qpid.[::1]:5672-[::1]:39892 Sent 
SASL-MECHANISMS(DIGEST-MD5 PLAIN) 41
2016-08-12 19:19:21 [Protocol] debug qpid.[::1]:5672-[::1]:39892 writing 
protocol header: 1-0
2016-08-12 19:19:21 [Security] trace qpid.[::1]:5672-[::1]:39892 
Sasl::encode(65536): 49
2016-08-12 19:19:21 [Security] trace Reading SASL frame of size 40
2016-08-12 19:19:21 [Security] trace Reading SASL-INIT
2016-08-12 19:19:21 [Protocol] debug qpid.[::1]:5672-[::1]:39892 Received 
SASL-INIT(PLAIN, \x00jgd\x00donner)
2016-08-12 19:19:21 [Security] info SASL: Starting authentication with 
mechanism: PLAIN
2016-08-12 19:19:21 [Security] trace Completed encoding of frame of 16 bytes
2016-08-12 19:19:21 [Protocol] debug qpid.[::1]:5672-[::1]:39892 Sent 
SASL-OUTCOME(1) 16
2016-08-12 19:19:21 [Security] info qpid.[::1]:5672-[::1]:39892 Failed to 
authenticate
2016-08-12 19:19:21 [Security] trace qpid.[::1]:5672-[::1]:39892 
Sasl::decode(40): 40
2016-08-12 19:19:21 [Security] trace qpid.[::1]:5672-[::1]:39892 
Sasl::encode(65536): 16
2016-08-12 19:19:21 [Security] info qpid.[::1]:5672-[::1]:39892 Connection 
closed prior to authentication completing
2016-08-12 19:19:21 [Security] trace ACL ConnectionCounter closed: 
qpid.[::1]:5672-[::1]:39892, userId:
2016-08-12 19:19:21 [Model] debug Delete connection. user: 
rhost:qpid.[::1]:5672-[::1]:39892


-- something's wrong with my SASL setup I feel sure, it's just whiffing at 
authenticating. I moved the sasldb from its original, qpid-specific location to 
the system's db (reflected in all cases above), but that made no difference. If 
you have a domain associated with a username (jgd), you need to specify it for 
administrative actions which the qpid-config tool URL doesn't give you a way to 
do, but it looks like qpid-config is filling in the right value (QPID) anyway. 

I tried making the username be: jgd@QPID and jgd/QPID to compensate for the 
lack of domain, but, those failed too:

2016-08-12 19:31:32 [Protocol] debug qpid.[::1]:5672-[::1]:39902 Received 
SASL-INIT(PLAIN, \x00jgd@QPID\x00donner)
2016-08-12 19:32:26 [Protocol] debug qpid.[::1]:5672-[::1]:39904 Received 
SASL-INIT(PLAIN, \x00jgd/QPID\x00donner)

ssl-best$ ./sasl-plain-client-broker 
url:>amqp://jgd%40QPID:donner@localhost:5672<
amqp:unauthorized-access: Authentication failed [mech=PLAIN]
ssl-best$ 
ssl-best$ ./sasl-plain-client-broker 
url:>amqp://jgd%2FQPID:donner@localhost:5672<
amqp:unauthorized-access: Authentication failed [mech=PLAIN]


Any ideas? 
Thanks,
Jeff

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

RE: Is it normal to have to turn SASL off to get qpid-config and qpid-stat to work with SSL?

Reply via email to