[Gt-eos] gsissh trusting DNS by default instead of usual rule

Dave Dykstra dwd at fnal.gov
Thu May 16 01:17:01 CEST 2019 

On Tue, May 14, 2019 at 12:41:05PM +0200, Mischa Salle wrote:
> On Mon, May 13, 2019 at 03:19:18PM +0000, End of Support of Globus Toolkit wrote:
...
> > I recently noticed that gsissh (from gsi-openssh-7.4p1-2.3.osg34.el7)
> > does not by default enforce that the expected host name matches the host
> > certificate or one of its SANs as is the normal rule for https
> > connections.  Instead, it also accepts a DNS alias, unless one sets the
> > ssh config option "GSSAPITrustDNS no".  Trusting the DNS by default
> > seems to me to be quite a security flaw, and defeats one of the primary
> > purposes of X.509 verification.  Could this default be changed?
> There seem to be two separate issues here. First of all, according to man
> 7 ssh_config:
>      GSSAPITrustDns
> 	 Set to "yes" to indicate that the DNS is trusted to securely
> 	 canonicalize the name of the host being connected to. If "no",
> 	 the hostname entered on the command line will be passed
> 	 untouched to the GSS- API library.  The default is "no".
> so if I understand correctly the current default setting for gsi-openssh
> would be to skip hostname verification altogether, so no gridcf-based
> library would be involved. I agree I'm puzzled why this is the default
> setting?

The man page may say the default is no, but apparently the default is
actually yes.  In fact the comment in /etc/gsissh/ssh_config showing
the default values says
	#   GSSAPITrustDNS yes

Actually even when set to "yes" it does verify that the host certificate
name (or SAN) matches the DNS alias, so it doesn't completely skip
hostname verification.  But it's not worth a whole lot since the DNS
isn't secured.

> The second point relates to the globus libraries themselves, further
> below.
> 
> > After googling around about this, I found some indication that this
> > might be related to a more general issue with the Globus Toolkit, but I
> > haven't checked any other tools.
> I think this has been changed a few years ago, see also
> https://docs.globus.org/security/security-bulletins/2015-12-strict-mode/

Yes I think that's what I was thinking about.  At a rough reading it
seems to apply, but as I recall when globus turned this on everybody
just had to make sure that the host name was not only listed in the
Common Name but was also in the Subject Alternative Name.  I don't think
that even the behavior prior to strict mode allowed using DNS aliases
the way GSSAPITrustDNS does.

> I think probably the default needs changing back to 'no' and then it
> hopefully 'just works'.

Yes I think so.

Dave

More information about the discuss mailing list