[Gt-eos] Possible security concern with gsissh

Basney, Jim jbasney at illinois.edu
Tue Apr 10 19:17:30 CEST 2018


Dave,

Thanks for raising this issue. I believe it’s due to the GssapiTrustDns setting still defaulting to yes. We should change the default to no. 

-Jim

> On Apr 10, 2018, at 12:01 PM, Dave Dykstra <dwd at fnal.gov> wrote:
> 
> I just noticed on a host that we use gsi-openssh-server that the host
> certificate does not include a SAN of the public DNS alias of the
> machine (i.e. oasis-login-itb.opensciencegrid.org).  Isn't that a
> security concern?  Normally clients are supposed to verify that.
> 
> Dave
> _______________________________________________
> Gt-eos mailing list
> Gt-eos at mailman.egi.eu
> http://mailman.egi.eu/mailman/listinfo/gt-eos



More information about the Gt-eos mailing list