On 07/29/15 14:51 -0400, Brian Bouterse wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I've been doing some development on Kombu [0] which uses SASL to authenticate against a Qpid message bus. In one specific case, when Kombu makes a Qpid client connection it calls establish(username='guest', password=''). establish() is part of the Qpid client library [1]. In Python '' is an empty string which is different than None the reserved keyword for empty (null). At some point as establish calls into qpid.messaging -> python-saslwrapper -> cyrus-sasl-lib/plain we are being prompted for a password even though we specify password=''. Is password='' an invalid value in the SASL PLAIN protocol, or is this just a bug in these libraries that should be fixed? We are running these sasl libraries: cyrus-sasl-2.1.26-17.el7.x86_64 cyrus-sasl-md5-2.1.26-17.el7.x86_64 saslwrapper-0.22-5.el7sat.x86_64 cyrus-sasl-plain-2.1.26-17.el7.x86_64 cyrus-sasl-lib-2.1.26-17.el7.x86_64 python-saslwrapper-0.22-5.el7sat.x86_64 I can provide more info if that is helpful. I know this is a silly thing to use SASL with an empty password but users are doing it and it halts the process while waiting for input from a daemon process. Thanks in advance.
Per RFC 4616 (SASL PLAIN), the password must be at least 1 non-null UTF-8 character. Presumably libsasl will continue to trigger a SASL_INTERACT while there is no recognized password. You're responsible for performing any necessary error checking within your (Kombu's) code prior to that point. See: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/programming.php#callbacks_interactions -- Dan White
