[rabbitmq-discuss] Problems with rabbitmq-auth-mechanism-ssl

[Jiri Krutil]

>> The management plugin displays a "Can log in with password" flag for users.
>>
>> How do I disable the possibility to log in with password? I want to
>> force the users to use SSL cert-based authentication (SASL EXTERNAL).
>
> If only EXTERNAL is available server-wide, then no user can log in  
> with a password, you need PLAIN to do that. That flag is for if you  
> want to prevent only certain users from logging in with a password.  
> Essentially if it's not set it means the user has no password.
>
> You can set this by using the "Add / update a user" form on the  
> Users listing page. Enter the name of an existing user to set the  
> password and administrator status for that user (yes, this could be  
> clearer...)

We have a backend connecting to the broker using a non-encrypted TCP  
connection and PLAIN authentication. The backend uses a dedicated  
broker user account with full AMQP permissions.

We also have one admin account that is used for the management plugin API.

We then have customers connecting from public Internet that should be  
forced to use SSL with SASL EXTERNAL authentication. Each customer has  
its own broker account with limited AMQP permissions.

The firewall is set up to open only the SSL port to the public. That  
means no customer may connect using TCP without SSL.

The question is how do I make sure that the customers won't connect  
using SSL with PLAIN authentication. (Currently we set up customer  
accounts manually using rabbitmqctl, but we are planning to automate  
this using the management plugin API.)

I would like to have the password authentication disabled for new  
users by default. The only users than may login with a password are  
the backend and admin users.

Any hints?

Cheers
Jiri