[Gt-eos] gsissh trusting DNS by default instead of usual rule
Dave Dykstra
dwd at fnal.gov
Thu May 16 18:35:50 CEST 2019
On Thu, May 16, 2019 at 09:25:20AM -0500, Dave Dykstra wrote:
> On Thu, May 16, 2019 at 11:31:56AM +0200, Mischa Salle wrote:
...
> I see, you're right. It's surprising then that the standard ssh_config
> even mentions GSSAPITrustDNS. If standard ssh supports the GSSAPI
> stuff, why do we need gsissh?
Oh right, standard ssh supports GSSAPI only for Kerberos. In fact the
latest standard openssh version (at least 8.0p1) does not have
GSSAPITrustDNS.
> > > Actually even when set to "yes" it does verify that the host certificate
> > > name (or SAN) matches the DNS alias, so it doesn't completely skip
> > > hostname verification. But it's not worth a whole lot since the DNS
> > > isn't secured.
> >
> > Just to make clear, you mean it uses something like the old-style (and
> > insecure) globus behaviour:
> > - user requests host X
> > - server resolves X to IP Y
> > - server reverse resolves Y to Z
> > - server checks Z appears in the hostcert (for Globus that always had to
> > be the CN field, here it seems it could also be SANs)
> > while the proper check is to verify that X already appears in the
> > hostcert.
>
> I guess that's what it could be doing. I think though that what it's
> actually doing, based on the man page description, is simply looking up
> the CNAME in the DNS and passing that to the globus library instead of
> the original name. It says that if the option is "no" it is passed
> "untouched", so I think that implies that if the option is "yes", it is
> passed "touched" based on the CNAME that the DNS stores to "canonicalize"
> the name.
No, you're right, it does do a reverse DNS name lookup. Here's the
function that implements it:
https://src.fedoraproject.org/rpms/gsi-openssh/blob/master/f/openssh-8.0p1-gssapi-keyex.patch#_290
Dave
More information about the discuss
mailing list