fix #1634:

1. Fix auth bypass in the default configuration with the addition of server.password (the REGISTER command was allowed before connection registration, allowing unauthenticated users to REGISTER and then take advantage of skip-server-password) 2. Caution operators against the use of require-sasl without disabling user-initiated account registration. (Such a configuration is still valid in the case of a public server that requires everyone to register.)
2021-04-25 19:22:08 -04:00 · 2021-04-25 19:22:08 -04:00 · 97ba1c3d63
commit 97ba1c3d63
parent 7481bf0385
5 changed files with 38 additions and 13 deletions
--- a/default.yaml
+++ b/default.yaml
@ -433,7 +433,10 @@ accounts:
    # require-sasl controls whether clients are required to have accounts
    # (and sign into them using SASL) to connect to the server
    require-sasl:
-        # if this is enabled, all clients must authenticate with SASL while connecting
+        # if this is enabled, all clients must authenticate with SASL while connecting.
+        # WARNING: for a private server, you MUST set accounts.registration.enabled
+        # to false as well, in order to prevent non-administrators from registering
+        # accounts.
        enabled: false

        # IPs/CIDRs which are exempted from the account requirement