[Gt-eos] gsissh trusting DNS by default instead of usual rule

Dave Dykstra dwd at fnal.gov
Mon May 13 17:19:18 CEST 2019


I would put this in a github issue, except it is a security issue so I
think I should limit the distribution.

I recently noticed that gsissh (from gsi-openssh-7.4p1-2.3.osg34.el7)
does not by default enforce that the expected host name matches the host
certificate or one of its SANs as is the normal rule for https
connections.  Instead, it also accepts a DNS alias, unless one sets the
ssh config option "GSSAPITrustDNS no".  Trusting the DNS by default
seems to me to be quite a security flaw, and defeats one of the primary
purposes of X.509 verification.  Could this default be changed?

After googling around about this, I found some indication that this
might be related to a more general issue with the Globus Toolkit, but I
haven't checked any other tools.

Dave




More information about the discuss mailing list