[Gt-eos] gsissh trusting DNS by default instead of usual rule

Mischa Salle msalle at nikhef.nl
Tue May 14 12:41:05 CEST 2019 

Hi Dave,

On Mon, May 13, 2019 at 03:19:18PM +0000, End of Support of Globus Toolkit wrote:
> I would put this in a github issue, except it is a security issue so I
> think I should limit the distribution.
actually this list is also publicly archived, but I think it's probably
ok for now since the risk is low.

> I recently noticed that gsissh (from gsi-openssh-7.4p1-2.3.osg34.el7)
> does not by default enforce that the expected host name matches the host
> certificate or one of its SANs as is the normal rule for https
> connections.  Instead, it also accepts a DNS alias, unless one sets the
> ssh config option "GSSAPITrustDNS no".  Trusting the DNS by default
> seems to me to be quite a security flaw, and defeats one of the primary
> purposes of X.509 verification.  Could this default be changed?
There seem to be to separate issues here. First of all, according to man
7 ssh_config:
     GSSAPITrustDns
	 Set to “yes to indicate that the DNS is trusted to securely
	 canonicalize” the name of the host being connected to. If “no,
	 the hostname entered on the” command line will be passed
	 untouched to the GSS- API library.  The default is “no”.
so if I understand correctly the current default setting for gsi-openssh
would be to skip hostname verification altogether, so no gridcf-based
library would be involved. I agree I'm puzzled why this is the default
setting?
The second point relates to the globus libraries themselves, further
below.

> After googling around about this, I found some indication that this
> might be related to a more general issue with the Globus Toolkit, but I
> haven't checked any other tools.
I think this has been changed a few years ago, see also
https://docs.globus.org/security/security-bulletins/2015-12-strict-mode/

I think probably the default needs changing back to 'no' and then it
hopefully 'just works'.

Best wishes,
Mischa

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20190514/9ece7e00/attachment.p7s>

More information about the discuss mailing list