[Gt-eos] gsissh trusting DNS by default instead of usual rule

Dave Dykstra dwd at fnal.gov
Mon May 20 17:05:09 CEST 2019


On Sun, May 19, 2019 at 02:02:35PM +0200, Mischa Salle wrote:
> On Thu, May 16, 2019 at 04:35:50PM +0000, Dave Dykstra wrote:
...
> > No, you're right, it does do a reverse DNS name lookup.  Here's the
> > function that implements it:
> >     https://src.fedoraproject.org/rpms/gsi-openssh/blob/master/f/openssh-8.0p1-gssapi-keyex.patch#_290
> Indeed, but notice that that just moves the same code/function from
> auth.c:
>     https://src.fedoraproject.org/rpms/gsi-openssh/blob/master/f/openssh-8.0p1-gssapi-keyex.patch#_24
> and that means it comes directly from upstream openssh. And indeed:
>     https://github.com/openssh/openssh-portable/blob/master/auth.c#L726
> (or likewise in
> https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
> as used by gsi-openssh.spec)

The remote_hostname() function is there, but there's no GSSAPITrustDns
option anymore.

> In any case, I suggest you open an issue at
> https://github.com/gridcf/gct to request the default GSSAPITrustDns to
> be set to 'no' as is the case for upstream and then it will use the gct
> libs code which should now be ok with SANs.
>
> You could leave out the details or just refer to earlier discussions.
> I think this is probably the fastest way at this point in time to fix
> it.

https://github.com/gridcf/gct/issues/85

Dave




More information about the discuss mailing list