[Gt-eos] gsissh trusting DNS by default instead of usual rule

Mischa Salle msalle at nikhef.nl
Mon May 20 19:21:35 CEST 2019 

On Mon, May 20, 2019 at 03:05:09PM +0000, Dave Dykstra wrote:
> On Sun, May 19, 2019 at 02:02:35PM +0200, Mischa Salle wrote:
> > On Thu, May 16, 2019 at 04:35:50PM +0000, Dave Dykstra wrote:
> ...
> > > No, you're right, it does do a reverse DNS name lookup.  Here's the
> > > function that implements it:
> > >     https://src.fedoraproject.org/rpms/gsi-openssh/blob/master/f/openssh-8.0p1-gssapi-keyex.patch#_290
> > Indeed, but notice that that just moves the same code/function from
> > auth.c:
> >     https://src.fedoraproject.org/rpms/gsi-openssh/blob/master/f/openssh-8.0p1-gssapi-keyex.patch#_24
> > and that means it comes directly from upstream openssh. And indeed:
> >     https://github.com/openssh/openssh-portable/blob/master/auth.c#L726
> > (or likewise in
> > https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
> > as used by gsi-openssh.spec)
> 
> The remote_hostname() function is there, but there's no GSSAPITrustDns
> option anymore.
True, but my point was that this is upstream code (and has been for
ages, I found already parts of it in a commit from January 2000,
https://github.com/openssh/openssh-portable/commit/34132e54cbd221d17d373fc54f4e3f7b85727f7f).
I wonder if we should perhaps file a bug at OpenSSH itself, but I don't
think that would lead to much probably... And for them (without using
certs normally) that also makes not too much sense.

> > In any case, I suggest you open an issue at
> > https://github.com/gridcf/gct to request the default GSSAPITrustDns to
> > be set to 'no' as is the case for upstream and then it will use the gct
> > libs code which should now be ok with SANs.
> >
> > You could leave out the details or just refer to earlier discussions.
> > I think this is probably the fastest way at this point in time to fix
> > it.
> 
> https://github.com/gridcf/gct/issues/85
I noticed it, thanks!

    Best wishes,
    Mischa

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20190520/6e01befd/attachment.p7s>

More information about the discuss mailing list