diff options
author | Michael Goulish <mgoulish@apache.org> | 2011-11-03 15:15:45 +0000 |
---|---|---|
committer | Michael Goulish <mgoulish@apache.org> | 2011-11-03 15:15:45 +0000 |
commit | c0ba8ea3bf4463e481712271481f29848018765a (patch) | |
tree | f1240e2060a5927b9f9443d9031aeb5b4c5e11ab | |
parent | 048daa1b473e4d05318d4cc06c7ac2ba3bd762eb (diff) | |
download | qpid-python-c0ba8ea3bf4463e481712271481f29848018765a.tar.gz |
I am removing DIGEST-MD5 from the mech list, because we cannot supply
a username+passwd in the sasldb file without introducing a security hole
to production systems.
So now the only mech is ANONYMOUS -- and lots of changes to the comments
to make it clear how to enable MD5 and how to add username+passwd for it.
Also, one of the broker options that was mentioned in the old text was
archaic -- updated that.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1197178 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | qpid/cpp/etc/sasl2/qpidd.conf | 66 |
1 files changed, 50 insertions, 16 deletions
diff --git a/qpid/cpp/etc/sasl2/qpidd.conf b/qpid/cpp/etc/sasl2/qpidd.conf index d766cb8ef8..0872bc251b 100644 --- a/qpid/cpp/etc/sasl2/qpidd.conf +++ b/qpid/cpp/etc/sasl2/qpidd.conf @@ -17,30 +17,64 @@ # under the License. # # -# This configuation allows for either SASL ANONYMOUS or DIGEST-MD5 -# authentication. The DIGEST-MD5 authentication is done on a -# username+password, which is stored in the sasldb_path -# file. Usernames and passwords can be added to the file using the -# command: +#--------------------------------- +# Mechanisms and Users +#--------------------------------- # -# saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER> +# This default qpidd configuration allows for only SASL ANONYMOUS authentication. +# To additionally enable DIGEST-MD5 authentication: # -# The REALM is important and should be the same as the --auth-realm -# option to the broker. This lets the broker properly find the user in -# the sasldb file. +# 1. edit the mech_list below to read +# mech_list: DIGEST-MD5 ANONYMOUS # -# Existing user accounts may be listed with: +# 2. To add new a new user+password to the sasldb file: +# echo $PASSWD | saslpasswd2 -c -p -f $SASLTEST_DB -u QPID $USERNAME # -# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb # -# NOTE: The sasldb file must be readable by the user running the qpidd -# daemon, and should be readable only by that user. +# PLEASE NOTE +# For production messaging systems, a high-security mechanism such as +# DIGEST-MD5 or PLAIN+SSL should be enabled. +# # pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /var/lib/qpidd/qpidd.sasldb -mech_list: DIGEST-MD5 ANONYMOUS +mech_list: ANONYMOUS + -#following line stops spurious 'sql_select option missing' errors when -#cyrus-sql-sasl plugin is installed + +#--------------------------------- +# Other Notes +#--------------------------------- +# +# 1. If you use a nonstandard location for your sasl_config directory, +# you can point qpidd to it by using the --sasl-config option. +# If your nonstandard sasl directory is $MY_SASL_DIR, put a copy +# of this file at $MY_SASL_DIR/qpidd.conf, alter the mech list as +# appropriate for your installation, and then use the saslpasswd2 +# command to add new user+passwd pairs: +# echo $PASSWD | saslpasswd2 -c -p -f $MY_SASL_DIR/qpidd.sasldb -u QPID $USERNAME +# +# +# 2. The standard location for the qpidd sasldb file is +# /var/lib/qpidd/qpidd.sasldb +# +# 3. You can see what usernames have been stored in the sasldb, with the +# sasldblistusers2 command. +# +# 4. The REALM is important and should be the same as the --realm +# option to the broker. This lets the broker properly find the user in +# the sasldb file. +# +# 5. The sasldb file must be readable by the user running the qpidd +# daemon, and should be readable only by that user. +# + + + +# The following line stops spurious 'sql_select option missing' errors when +# cyrus-sql-sasl plugin is installed sql_select: dummy select + + + |