[rabbitmq-discuss] Authenticating users via SSPI

Mark Steele msteele at beringmedia.com
Fri Jul 16 18:08:32 BST 2010


Personally I feel using PKI is a much better solution than any proprietary
windows protocol. I would also guess that the majority of users using rabbit
are using it in unix environments at this point.

The certificate based authentication works like a charm, just need to update
it to support the full gamut of PKI functionality. From a security
standpoint, it's much better to encrypt the communication channel.

Mark Steele
Director of development
Bering Media Inc.



On Fri, Jul 16, 2010 at 10:05 AM, Dan Wise <Dan.Wise at ignisasset.com> wrote:

>  Yes, this confirms the issue I was worrying about.
>
>
>
> I think it would be very valuable to add NTLM authentication to Rabbit on
> Windows, so that only a username could be supplied on the client and the
> authentication verified on the server, without the need to pass clear-text
> passwords or per-user SSL certificates. This would really enhance the
> commercial attractiveness of Rabbit.
>
>
>
> Anyone want to take up the challenge?
>
>
>
> Dan.
>
>
>
>
>
> *From:* Mark Steele [mailto:msteele at beringmedia.com]
> *Sent:* 16 July 2010 13:44
>
> *To:* Dan Wise
> *Cc:* rabbitmq-discuss at lists.rabbitmq.com
> *Subject:* Re: [rabbitmq-discuss] Authenticating users via SSPI
>
>
>
> Really depends on what your needs are.
>
>
>
> You could have one cert per user, and use the same authentication
> information in your rabbit cloud for all users. I just noticed however that
> the erlang new_ssl implementation does not support CRLs, so you won't be
> able to revoke a certificate and have that reflected by an authentication
> failure on the rabbit server.
>
>
>
> Wonder what the odds of adding CRL or OCSP support to rabbit are....There
> was a thread about this in 2009:
> http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2009-July/004189.html
>
>
>
> Both these functionalities are pretty trivial to implement using the
> openssl library
>
>
>
> So I guess my original suggestion doesn't fly as a good solution, sorry!
>
>
>
> Cheers,
>
>
> Mark Steele
> Director of development
> Bering Media Inc.
>
>
>  On Thu, Jul 15, 2010 at 6:33 PM, Dan Wise <Dan.Wise at ignisasset.com>
> wrote:
>
> Would I need a separate certificate for each user? Does peer certificate
> verification bypass normal username and password checking?
>
>
>
> Dan.
>
>
>
>
>
> *From:* Mark Steele [mailto:msteele at beringmedia.com]
> *Sent:* 15 July 2010 14:52
> *To:* Dan Wise
> *Cc:* rabbitmq-discuss at lists.rabbitmq.com
> *Subject:* Re: [rabbitmq-discuss] Authenticating users via SSPI
>
>
>
> You could use PKI and store the certificates in LDAP. Have your app use the
> current credentials of the user to grab the certificate and connect to
> rabbit over SSL with peer certificate verification enabled.
>
>
> Mark Steele
> Director of development
> Bering Media Inc.
>
>   On Thu, Jul 15, 2010 at 5:53 AM, Dan Wise <Dan.Wise at ignisasset.com>
> wrote:
>
> Hi,
>
>
>
> We have a number of Windows users who want to use our rabbitmq messaging.
> However we need to ensure that we authenticate them without them having to
> enter their Windows passwords and syncing with the rabbitmq user passwords.
>
>
>
> Has anyone looked at a mechanism for using SSPI authentication to allow
> clients to connect? This is surely a common challenge, particularly in an
> organisation where there are large numbers of users and the job of providing
> and maintaining separate passwords for different systems is hugs.
>
>
>
> Thanks,
>
>
>
> *Dan Wise*
>
> * *
>
>
>
> **************************************************************
>
> Visit our Website at http://www.ignisasset.com/
> The information contained in this email (including any attachments
> transmitted within it) is confidential and is intended solely for the use of
> the named person.
> The unauthorised access, copying or re-use of the information in it by any
> other person is strictly forbidden.
> If you are not the intended recipient please notify us immediately by
> return email to postmaster at ignisasset.com.
>
> Internet communication is not guaranteed to be timely, secure, error or
> virus free. We accept no liability for any harm to systems or data, nor for
> personal emails. Emails may be recalled, deleted and monitored.
>
> Ignis Asset Management is the trading name of the Ignis Asset Management
> Limited group of companies which includes the following subsidiary and
> associated companies: Ignis Asset Management Limited (Registered in Scotland
> No. SC200801), Ignis Investment Services Limited* (Registered in Scotland
> No. SC101825)
> Ignis Fund Managers Limited* (Registered in Scotland No. SC85610) Scottish
> Mutual Investment Managers Limited* (Registered in Scotland No. SC88674)
> Registered Office: 50 Bothwell Street, Glasgow, G2 6HR, Tel: 0141-222-8000
> and Scottish Mutual PEP & ISA Managers Limited* (Registered in England No.
> 971504)
> Registered Office: 1 Wythall Green Way, Wythall, Birmingham B47 6WG and
> Ignis Investment Management Limited* (Registered in England No. 5809046)
> Registered Office: Sentinel House, 16 Harcourt Street, London, W1H 4AD.
> Scottish Mutual is a registered trade mark of Scottish Mutual Assurance
> Limited
>
> *Authorised and regulated by the Financial Services Authority.
>
> **************************************************************
>
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20100716/3e6312d5/attachment-0001.htm>


More information about the rabbitmq-discuss mailing list