[Gt-eos] gsissh trusting DNS by default instead of usual rule

Mischa Salle msalle at nikhef.nl
Sun May 19 14:02:35 CEST 2019 

On Thu, May 16, 2019 at 04:35:50PM +0000, Dave Dykstra wrote:
> On Thu, May 16, 2019 at 09:25:20AM -0500, Dave Dykstra wrote:
> > On Thu, May 16, 2019 at 11:31:56AM +0200, Mischa Salle wrote:
> ...
> > I see, you're right.  It's surprising then that the standard ssh_config
> > even mentions GSSAPITrustDNS.  If standard ssh supports the GSSAPI
> > stuff, why do we need gsissh?
> 
> Oh right, standard ssh supports GSSAPI only for Kerberos.  In fact the
> latest standard openssh version (at least 8.0p1) does not have
> GSSAPITrustDNS.
> 
> > > > Actually even when set to "yes" it does verify that the host certificate
> > > > name (or SAN) matches the DNS alias, so it doesn't completely skip
> > > > hostname verification.  But it's not worth a whole lot since the DNS
> > > > isn't secured.
> > > 
> > > Just to make clear, you mean it uses something like the old-style (and
> > > insecure) globus behaviour:
> > > - user requests host X
> > > - server resolves X to IP Y
> > > - server reverse resolves Y to Z
> > > - server checks Z appears in the hostcert (for Globus that always had to
> > >   be the CN field, here it seems it could also be SANs)
> > > while the proper check is to verify that X already appears in the
> > > hostcert.
> > 
> > I guess that's what it could be doing.  I think though that what it's
> > actually doing, based on the man page description, is simply looking up
> > the CNAME in the DNS and passing that to the globus library instead of
> > the original name.   It says that if the option is "no" it is passed
> > "untouched", so I think that implies that if the option is "yes", it is
> > passed "touched" based on the CNAME that the DNS stores to "canonicalize"
> > the name.
> 
> No, you're right, it does do a reverse DNS name lookup.  Here's the
> function that implements it:
>     https://src.fedoraproject.org/rpms/gsi-openssh/blob/master/f/openssh-8.0p1-gssapi-keyex.patch#_290
Indeed, but notice that that just moves the same code/function from
auth.c:
    https://src.fedoraproject.org/rpms/gsi-openssh/blob/master/f/openssh-8.0p1-gssapi-keyex.patch#_24
and that means it comes directly from upstream openssh. And indeed:
    https://github.com/openssh/openssh-portable/blob/master/auth.c#L726
(or likewise in
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
as used by gsi-openssh.spec)

In any case, I suggest you open an issue at
https://github.com/gridcf/gct to request the default GSSAPITrustDns to
be set to 'no' as is the case for upstream and then it will use the gct
libs code which should now be ok with SANs.
You could leave out the details or just refer to earlier discussions.
I think this is probably the fastest way at this point in time to fix
it.

Best wishes,
Mischa

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20190519/ca273edb/attachment.p7s>

More information about the discuss mailing list