[rabbitmq-discuss] Separate authorization mechanisms for SSL and non-SSL?

michi.oshima moshima at advent.com
Wed Nov 28 05:42:05 GMT 2012


Hi Simon,


Simon MacMullen-2 wrote
> And if you do, 
> you can make sure the users connecting via SSL do not have passwords 
> set; then they won't be able to log in with PLAIN.

Yes, above works for me.  Thank you!

I needed to google a bit to figure out how not to have password set for a
user.  It turns out there is an option in rabbitmqctl to do just that:

rabbitmqctl clear_password {username}

I'm posting above, because I made the mistake of setting the password to an
empty string (''), which doesn't have the desired effect.


Simon MacMullen-2 wrote
> And if an SSL client selects PLAIN, do you really mind? 

I'm thinking I do.  If an "attacker" can select PLAIN, then the attacker
would only have to guess the correct password to gain access to the server,
which is easier than faking a certificate.  (Or so I heard...   Does it just
depend on the length of the password?)




--
View this message in context: http://rabbitmq.1065348.n5.nabble.com/Separate-authorization-mechanisms-for-SSL-and-non-SSL-tp23672p23693.html
Sent from the RabbitMQ mailing list archive at Nabble.com.


More information about the rabbitmq-discuss mailing list