[Gt-eos] Possible security concern with gsissh
Mischa Salle
msalle at nikhef.nl
Tue Apr 10 19:36:11 CEST 2018
Hi Dave, Jim,
the man-page for an old gsissh_config (from gsi-openssh-clients-5.3p1-11.el6)
says that the default is 'no'. In any case, Dave, you could try to set
it manually to verify that it is the cause?
GSSAPITrustDns
Set to “yes to indicate that the DNS is trusted to securely
canonicalize” the name of the host being connected to. If “no,
the hostname entered on the” command line will be passed
untouched to the GSSAPI library. The default is “no”. This
option only applies to protocol version 2 connections using GSS-
API.
Mischa
On Tue, Apr 10, 2018 at 05:17:30PM +0000, Jim Basney wrote:
> Dave,
>
> Thanks for raising this issue. I believe it’s due to the GssapiTrustDns setting still defaulting to yes. We should change the default to no.
>
> -Jim
>
> > On Apr 10, 2018, at 12:01 PM, Dave Dykstra <dwd at fnal.gov> wrote:
> >
> > I just noticed on a host that we use gsi-openssh-server that the host
> > certificate does not include a SAN of the public DNS alias of the
> > machine (i.e. oasis-login-itb.opensciencegrid.org). Isn't that a
> > security concern? Normally clients are supposed to verify that.
> >
> > Dave
> > _______________________________________________
> > Gt-eos mailing list
> > Gt-eos at mailman.egi.eu
> > http://mailman.egi.eu/mailman/listinfo/gt-eos
>
> _______________________________________________
> Gt-eos mailing list
> Gt-eos at mailman.egi.eu
> http://mailman.egi.eu/mailman/listinfo/gt-eos
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3402 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20180410/95bc40ed/attachment.p7s>
More information about the discuss
mailing list