qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Donner <jdon...@morphodetection.com>
Subject RE: Is it normal to have to turn SASL off to get qpid-config and qpid-stat to work with SSL?
Date Sat, 13 Aug 2016 02:35:27 GMT
> For EXTERNAL, you need to have the swigged wrapper for cyrus-sasl[1]. If
> you don't have that, that could explain why EXTERNAL doesn't work. What
> error do you get if you try to use EXTERNAL?

It /looks/ like I should have those ... 

  etc$ rpm -qa | grep sasl | sort
  cyrus-sasl-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-debuginfo-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-devel-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-gssapi-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-lib-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-md5-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-plain-2.1.26-25.2.fc23.x86_64
  cyrus-sasl-scram-2.1.26-25.2.fc23.x86_64
  libgsasl-1.8.0-6.fc23.x86_64
  libgsasl-devel-1.8.0-6.fc23.x86_64
  python-saslwrapper-0.16-11.fc23.x86_64
  saslwrapper-0.16-11.fc23.x86_64

###################################################
# Full SASL and SSL

ssl-best$ cat ssl-qpidd.conf | grep -v '#' | uniq
require-encryption=yes
ssl-cert-db=ssl_certs/server_db
ssl-cert-password-file=ssl_certs/server_db_password
ssl-cert-name=test_server
ssl-use-export-policy=yes
ssl-require-client-authentication=yes
auth=yes
sasl-config=/etc/sasl2
ssl-sasl-no-dict=yes
trace=yes
log-disable=trace:Management
log-disable=debug:Management
log-enable=notice+
log-enable=trace+:Protocol
ssl-port=5671

sasl2$ cat /etc/sasl2/qpidd.conf | grep -v '#' | uniq
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasldb2
mech_list: EXTERNAL DIGEST-MD5 PLAIN
sql_select: dummy select

sasl2$ sudo sasldblistusers2 /etc/sasldb2
[sudo] password for jdonner: 
jgd@QPID: userPassword -- (password is donner)


ssl-best$ qpidd --conf ssl-qpidd.conf            
2016-08-12 17:01:30 [Broker] notice Broker (pid=4058) start-up
2016-08-12 17:01:30 [Model] trace Mgmt create memory. id:amqp-broker
2016-08-12 17:01:30 [Broker] info Management enabled
2016-08-12 17:01:30 [Management] info ManagementAgent restored broker ID: f390a428-3c91-4255-a327-55b4a3fb7570
2016-08-12 17:01:30 [Model] trace Mgmt create system. id:d9ae84c5-a943-4446-bf05-1ca543f0d34f
2016-08-12 17:01:30 [Model] trace Mgmt create broker. id:amqp-broker
2016-08-12 17:01:30 [Model] trace Mgmt create vhost. id:org.apache.qpid.broker:broker:amqp-broker,/
2016-08-12 17:01:30 [Broker] info Loaded protocol amqp1.0
2016-08-12 17:01:30 [Model] trace Mgmt create exchange. id:
....
2016-08-12 17:01:30 [Model] trace Mgmt create exchange. id:qmf.default.direct
2016-08-12 17:01:30 [Security] info SASL: config path set to /etc/sasl2
2016-08-12 17:01:30 [Broker] info SASL enabled
2016-08-12 17:01:30 [Network] debug No Socket fd specified
2016-08-12 17:01:30 [Model] trace Mgmt create acl. id:org.apache.qpid.broker:broker:amqp-broker
2016-08-12 17:01:30 [Security] debug ACL loaded empty rule set
2016-08-12 17:01:30 [Security] info ACL Plugin loaded
2016-08-12 17:01:30 [Security] trace Initialising SSL plugin
2016-08-12 17:01:30 [Network] debug Using interface: 
2016-08-12 17:01:30 [Network] info Listening to: 0.0.0.0:5671
2016-08-12 17:01:30 [Network] debug Listened to: 5671
2016-08-12 17:01:30 [Network] info Listening to: [::]:5671
2016-08-12 17:01:30 [Network] debug Listened to: 5671
2016-08-12 17:01:30 [Security] notice Listening for SSL connections on TCP/TCP6 port 5671
2016-08-12 17:01:30 [Network] debug Using interface: 
2016-08-12 17:01:30 [Network] info Listening to: 0.0.0.0:5672
2016-08-12 17:01:30 [Network] debug Listened to: 5672
2016-08-12 17:01:30 [Network] info Listening to: [::]:5672
2016-08-12 17:01:30 [Network] debug Listened to: 5672
2016-08-12 17:01:30 [Network] notice Listening on TCP/TCP6 port 5672
2016-08-12 17:01:30 [Broker] info Broker (pid=4058) initialized
2016-08-12 17:01:30 [Broker] info Broker (pid=4058) running

# client
ssl-best$ qpid-config --broker=amqps://jgd/donner@localhost:5671 --ssl-certificate=ssl_certs/client/tclient-certificate.pem
--ssl-key=ssl_certs/tclient-unencrypted-private.key
Failed: ConnectionError: connection-forced: Authentication failed(320)

# qpidd response:
2016-08-12 17:01:38 [Network] trace Accepting SSL connection.
2016-08-12 17:01:38 [Network] info Set TCP_NODELAY on connection to [::1]:59398
2016-08-12 17:01:38 [Network] trace Accepting SSL connection.
2016-08-12 17:01:38 [System] debug RECV [qpid.[::1]:5671-[::1]:59398]: INIT(0-10)
2016-08-12 17:01:38 [Security] debug External ssf=128 and auth=test_client
2016-08-12 17:01:38 [Security] debug min_ssf: 0, max_ssf: 0, external_ssf: 128
2016-08-12 17:01:38 [Security] debug external auth detected and set to test_client
2016-08-12 17:01:38 [Security] info SASL: Mechanism list: EXTERNAL
2016-08-12 17:01:38 [Broker] debug LinkRegistry::notifyConnection(); key=qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Security] trace ACL ConnectionCounter new connection: qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Model] trace Mgmt create connection. id:qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: INIT(0-10)
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: Frame[BEbe; channel=0;
{ConnectionStartBody: server-properties={host:V2:7:str16(sidecar),platform:V2:5:str16(Linux),product:V2:8:str16(qpid-cpp),qpid.federation_tag:V2:36:str16(f390a428-3c91-4255-a327-55b4a3fb7570),version:V2:4:str16(0.34)};
mechanisms=str16{V2:8:str16(EXTERNAL)}; locales=str16{V2:5:str16(en_US)}; }]
2016-08-12 17:01:38 [Protocol] trace RECV [qpid.[::1]:5671-[::1]:59398]: Frame[BEbe; channel=0;
{ConnectionStartOkBody: client-properties={platform:V2:5:str16(posix),product:V2:18:str16(qpid
python client),qpid.client_pid:F8:int64(4067),qpid.client_ppid:F8:int64(2058),qpid.client_process:V2:11:str16(qpid-config),version:V2:11:str16(development)};
mechanism=EXTERNAL; response=xxxxxx; }]
2016-08-12 17:01:38 [Security] info SASL: Starting authentication with mechanism: EXTERNAL
2016-08-12 17:01:38 [Security] info SASL: Authentication failed for jgd@QPID:SASL(-13): authentication
failure: Requested identity not authenticated identity
2016-08-12 17:01:38 [System] debug Exception constructed: Authentication failed
2016-08-12 17:01:38 [Model] debug Failed connection. rhost:qpid.[::1]:5671-[::1]:59398 user:jgd@QPID
reason:SASL(-13): authentication failure: Requested identity not authenticated identity
2016-08-12 17:01:38 [Protocol] error Connection qpid.[::1]:5671-[::1]:59398 closed by error:
connection-forced: Authentication failed(320)
2016-08-12 17:01:38 [Protocol] trace SENT [qpid.[::1]:5671-[::1]:59398]: Frame[BEbe; channel=0;
{ConnectionCloseBody: reply-code=320; reply-text=connection-forced: Authentication failed;
}]
2016-08-12 17:01:38 [Model] trace Mgmt destroying connection. id:qpid.[::1]:5671-[::1]:59398
Statistics: {bytesFromClient:193, bytesToClient:59, closing:False, framesFromClient:1, framesToClient:1,
msgsFromClient:0, msgsToClient:0}
2016-08-12 17:01:38 [Model] debug Delete connection. user: rhost:qpid.[::1]:5671-[::1]:59398
2016-08-12 17:01:38 [Security] trace ACL ConnectionCounter closed: qpid.[::1]:5671-[::1]:59398,
userId:



#####################################################
# Without SSL:

ssl-best$ cat sasl-no-ssl-no-encrypt.conf | grep -v '#' | uniq
require-encryption=no
auth=yes
sasl-config=/etc/sasl2
trace=yes
log-disable=trace:Management
log-disable=debug:Management
log-enable=notice+
log-enable=trace+:Protocol
port=5672


ssl-best$ qpidd --conf sasl-no-ssl-no-encrypt.conf
2016-08-12 17:13:34 [Broker] notice Broker (pid=4164) start-up
2016-08-12 17:13:34 [Model] trace Mgmt create memory. id:amqp-broker
2016-08-12 17:13:34 [Broker] info Management enabled
2016-08-12 17:13:34 [Management] info ManagementAgent restored broker ID: f390a428-3c91-4255-a327-55b4a3fb7570
2016-08-12 17:13:34 [Model] trace Mgmt create system. id:d9ae84c5-a943-4446-bf05-1ca543f0d34f
2016-08-12 17:13:34 [Model] trace Mgmt create broker. id:amqp-broker
2016-08-12 17:13:34 [Model] trace Mgmt create vhost. id:org.apache.qpid.broker:broker:amqp-broker,/
2016-08-12 17:13:34 [Security] notice SSL plugin not enabled, you must set --ssl-cert-db to
enable it.
2016-08-12 17:13:34 [Broker] info Loaded protocol amqp1.0
2016-08-12 17:13:34 [Model] trace Mgmt create exchange. id:
...
2016-08-12 17:13:34 [Model] trace Mgmt create exchange. id:qmf.default.direct
2016-08-12 17:13:34 [Security] info SASL: config path set to /etc/sasl2
2016-08-12 17:13:34 [Broker] info SASL enabled
2016-08-12 17:13:34 [Network] debug No Socket fd specified
2016-08-12 17:13:34 [Model] trace Mgmt create acl. id:org.apache.qpid.broker:broker:amqp-broker
2016-08-12 17:13:34 [Security] debug ACL loaded empty rule set
2016-08-12 17:13:34 [Security] info ACL Plugin loaded
2016-08-12 17:13:34 [Security] trace Initialising SSL plugin
2016-08-12 17:13:34 [Network] debug Using interface: 
2016-08-12 17:13:34 [Network] info Listening to: 0.0.0.0:5672
2016-08-12 17:13:34 [Network] debug Listened to: 5672
2016-08-12 17:13:34 [Network] info Listening to: [::]:5672
2016-08-12 17:13:34 [Network] debug Listened to: 5672
2016-08-12 17:13:34 [Network] notice Listening on TCP/TCP6 port 5672
2016-08-12 17:13:34 [Broker] info Broker (pid=4164) initialized
2016-08-12 17:13:34 [Broker] info Broker (pid=4164) running

# client:
ssl-best$ qpid-config --broker=amqp://jgd/donner@localhost:5672 --sasl-mechanism=PLAIN
Failed: ConnectionError: connection-forced: Authentication failed(320)

# qpidd response:
2016-08-12 17:13:49 [Network] info Set TCP_NODELAY on connection to [::1]:39648
2016-08-12 17:13:49 [System] debug RECV [qpid.[::1]:5672-[::1]:39648]: INIT(0-10)
2016-08-12 17:13:49 [Security] debug External ssf=0 and auth=
2016-08-12 17:13:49 [Security] debug min_ssf: 0, max_ssf: 256, external_ssf: 0
2016-08-12 17:13:49 [Security] info SASL: Mechanism list: DIGEST-MD5 PLAIN
2016-08-12 17:13:49 [Broker] debug LinkRegistry::notifyConnection(); key=qpid.[::1]:5672-[::1]:39648
2016-08-12 17:13:49 [Security] trace ACL ConnectionCounter new connection: qpid.[::1]:5672-[::1]:39648
2016-08-12 17:13:49 [Model] trace Mgmt create connection. id:qpid.[::1]:5672-[::1]:39648
2016-08-12 17:13:49 [Protocol] trace SENT [qpid.[::1]:5672-[::1]:39648]: INIT(0-10)
2016-08-12 17:13:49 [Protocol] trace SENT [qpid.[::1]:5672-[::1]:39648]: Frame[BEbe; channel=0;
{ConnectionStartBody: server-properties={host:V2:7:str16(sidecar),platform:V2:5:str16(Linux),product:V2:8:str16(qpid-cpp),qpid.federation_tag:V2:36:str16(f390a428-3c91-4255-a327-55b4a3fb7570),version:V2:4:str16(0.34)};
mechanisms=str16{V2:10:str16(DIGEST-MD5), V2:5:str16(PLAIN)}; locales=str16{V2:5:str16(en_US)};
}]
2016-08-12 17:13:49 [Protocol] trace RECV [qpid.[::1]:5672-[::1]:39648]: Frame[BEbe; channel=0;
{ConnectionStartOkBody: client-properties={platform:V2:5:str16(posix),product:V2:18:str16(qpid
python client),qpid.client_pid:F8:int64(4171),qpid.client_ppid:F8:int64(2058),qpid.client_process:V2:11:str16(qpid-config),version:V2:11:str16(development)};
mechanism=PLAIN; response=xxxxxx; }]
2016-08-12 17:13:49 [Security] info SASL: Starting authentication with mechanism: PLAIN
2016-08-12 17:13:49 [Security] info SASL: Authentication failed for jgd@QPID:SASL(-1): generic
failure: Password verification failed
2016-08-12 17:13:49 [System] debug Exception constructed: Authentication failed
2016-08-12 17:13:49 [Model] debug Failed connection. rhost:qpid.[::1]:5672-[::1]:39648 user:jgd@QPID
reason:SASL(-1): generic failure: Password verification failed
2016-08-12 17:13:49 [Protocol] error Connection qpid.[::1]:5672-[::1]:39648 closed by error:
connection-forced: Authentication failed(320)
2016-08-12 17:13:49 [Protocol] trace SENT [qpid.[::1]:5672-[::1]:39648]: Frame[BEbe; channel=0;
{ConnectionCloseBody: reply-code=320; reply-text=connection-forced: Authentication failed;
}]
2016-08-12 17:13:49 [Model] trace Mgmt destroying connection. id:qpid.[::1]:5672-[::1]:39648
Statistics: {bytesFromClient:201, bytesToClient:59, closing:False, framesFromClient:1, framesToClient:1,
msgsFromClient:0, msgsToClient:0}
2016-08-12 17:13:49 [Model] debug Delete connection. user: rhost:qpid.[::1]:5672-[::1]:39648
2016-08-12 17:13:49 [Security] trace ACL ConnectionCounter closed: qpid.[::1]:5672-[::1]:39648,
userId:


######################################################
# C++ Proton 0.12.2 client

// parts of interest
class sasl_plain_client : public proton::handler {
 private:
  proton::url url;
  server_handler s_handler;

 public:
  sasl_plain_client(const proton::url &u) : url(u) {}

  void on_start(proton::event &e) {
    connection_options client_opts;
    client_opts.allowed_mechs("PLAIN").
      allow_insecure_mechs(true).
      sasl_config_path("/etc/sasl2/qpidd.conf");
    e.container().client_connection_options(client_opts);

    std::cout << "url:>" << url << "<" << std::endl;
    e.container().open_sender(url);
  }

  void on_sendable(proton::event &e) {
    proton::message m;
    m.body("Hello World!");
    e.sender().send(m);
    e.sender().close();
  }
};

// ./sasl-plain-client-broker

int main(int argc, char **argv) {
  try {
    proton::url my_url;
    my_url.scheme("amqp");
    my_url.username("jgd");
    my_url.password("donner");
    my_url.host("localhost");
    my_url.port("5672");

    sasl_plain_client my_client(my_url);
    proton::container(my_client).run();
...


ssl-best$ qpidd --conf sasl-no-ssl-no-encrypt.conf
2016-08-12 19:19:15 [Broker] notice Broker (pid=6924) start-up
2016-08-12 19:19:15 [Model] trace Mgmt create memory. id:amqp-broker
2016-08-12 19:19:15 [Broker] info Management enabled
2016-08-12 19:19:15 [Management] info ManagementAgent restored broker ID: f390a428-3c91-4255-a327-55b4a3fb7570
2016-08-12 19:19:15 [Model] trace Mgmt create system. id:d9ae84c5-a943-4446-bf05-1ca543f0d34f
2016-08-12 19:19:15 [Model] trace Mgmt create broker. id:amqp-broker
2016-08-12 19:19:15 [Model] trace Mgmt create vhost. id:org.apache.qpid.broker:broker:amqp-broker,/
2016-08-12 19:19:15 [Security] notice SSL plugin not enabled, you must set --ssl-cert-db to
enable it.
2016-08-12 19:19:15 [Broker] info Loaded protocol amqp1.0
2016-08-12 19:19:15 [Model] trace Mgmt create exchange. id:
....
2016-08-12 19:19:15 [Model] trace Mgmt create exchange. id:qmf.default.direct
2016-08-12 19:19:15 [Security] info SASL: config path set to /etc/sasl2
2016-08-12 19:19:15 [Broker] info SASL enabled
2016-08-12 19:19:15 [Network] debug No Socket fd specified
2016-08-12 19:19:15 [Model] trace Mgmt create acl. id:org.apache.qpid.broker:broker:amqp-broker
2016-08-12 19:19:15 [Security] debug ACL loaded empty rule set
2016-08-12 19:19:15 [Security] info ACL Plugin loaded
2016-08-12 19:19:15 [Security] trace Initialising SSL plugin
2016-08-12 19:19:15 [Network] debug Using interface: 
2016-08-12 19:19:15 [Network] info Listening to: 0.0.0.0:5672
2016-08-12 19:19:15 [Network] debug Listened to: 5672
2016-08-12 19:19:15 [Network] info Listening to: [::]:5672
2016-08-12 19:19:15 [Network] debug Listened to: 5672
2016-08-12 19:19:15 [Network] notice Listening on TCP/TCP6 port 5672
2016-08-12 19:19:15 [Broker] info Broker (pid=6924) initialized
2016-08-12 19:19:15 [Broker] info Broker (pid=6924) running


# client -- why is it writing the username + password jgd:donner instead of jgd/donner? Is
it suspicious?
ssl-best$ ./sasl-plain-client-broker 
url:>amqp://jgd:donner@localhost:5672<
amqp:unauthorized-access: Authentication failed [mech=PLAIN]


# qpidd response:
2016-08-12 19:19:21 [Network] info Set TCP_NODELAY on connection to [::1]:39892
2016-08-12 19:19:21 [System] debug RECV [qpid.[::1]:5672-[::1]:39892]: INIT(1-0)
2016-08-12 19:19:21 [Broker] info Using AMQP 1.0 (with SASL layer)
2016-08-12 19:19:21 [Security] debug External ssf=0 and auth=
2016-08-12 19:19:21 [Security] debug min_ssf: 0, max_ssf: 256, external_ssf: 0
2016-08-12 19:19:21 [Model] trace Mgmt create connection. id:qpid.[::1]:5672-[::1]:39892
2016-08-12 19:19:21 [Security] trace ACL ConnectionCounter new connection: qpid.[::1]:5672-[::1]:39892
2016-08-12 19:19:21 [Security] info SASL: Mechanism list: DIGEST-MD5 PLAIN
2016-08-12 19:19:21 [Security] trace Completed encoding of frame of 41 bytes
2016-08-12 19:19:21 [Protocol] debug qpid.[::1]:5672-[::1]:39892 Sent SASL-MECHANISMS(DIGEST-MD5
PLAIN) 41
2016-08-12 19:19:21 [Protocol] debug qpid.[::1]:5672-[::1]:39892 writing protocol header:
1-0
2016-08-12 19:19:21 [Security] trace qpid.[::1]:5672-[::1]:39892 Sasl::encode(65536): 49
2016-08-12 19:19:21 [Security] trace Reading SASL frame of size 40
2016-08-12 19:19:21 [Security] trace Reading SASL-INIT
2016-08-12 19:19:21 [Protocol] debug qpid.[::1]:5672-[::1]:39892 Received SASL-INIT(PLAIN,
\x00jgd\x00donner)
2016-08-12 19:19:21 [Security] info SASL: Starting authentication with mechanism: PLAIN
2016-08-12 19:19:21 [Security] trace Completed encoding of frame of 16 bytes
2016-08-12 19:19:21 [Protocol] debug qpid.[::1]:5672-[::1]:39892 Sent SASL-OUTCOME(1) 16
2016-08-12 19:19:21 [Security] info qpid.[::1]:5672-[::1]:39892 Failed to authenticate
2016-08-12 19:19:21 [Security] trace qpid.[::1]:5672-[::1]:39892 Sasl::decode(40): 40
2016-08-12 19:19:21 [Security] trace qpid.[::1]:5672-[::1]:39892 Sasl::encode(65536): 16
2016-08-12 19:19:21 [Security] info qpid.[::1]:5672-[::1]:39892 Connection closed prior to
authentication completing
2016-08-12 19:19:21 [Security] trace ACL ConnectionCounter closed: qpid.[::1]:5672-[::1]:39892,
userId:
2016-08-12 19:19:21 [Model] debug Delete connection. user: rhost:qpid.[::1]:5672-[::1]:39892


-- something's wrong with my SASL setup I feel sure, it's just whiffing at authenticating.
I moved the sasldb from its original, qpid-specific location to the system's db (reflected
in all cases above), but that made no difference. If you have a domain associated with a username
(jgd), you need to specify it for administrative actions which the qpid-config tool URL doesn't
give you a way to do, but it looks like qpid-config is filling in the right value (QPID) anyway.


I tried making the username be: jgd@QPID and jgd/QPID to compensate for the lack of domain,
but, those failed too:

2016-08-12 19:31:32 [Protocol] debug qpid.[::1]:5672-[::1]:39902 Received SASL-INIT(PLAIN,
\x00jgd@QPID\x00donner)
2016-08-12 19:32:26 [Protocol] debug qpid.[::1]:5672-[::1]:39904 Received SASL-INIT(PLAIN,
\x00jgd/QPID\x00donner)

ssl-best$ ./sasl-plain-client-broker 
url:>amqp://jgd%40QPID:donner@localhost:5672<
amqp:unauthorized-access: Authentication failed [mech=PLAIN]
ssl-best$ 
ssl-best$ ./sasl-plain-client-broker 
url:>amqp://jgd%2FQPID:donner@localhost:5672<
amqp:unauthorized-access: Authentication failed [mech=PLAIN]


Any ideas? 
Thanks,
Jeff

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message