[Gt-eos] Possible security concern with gsissh
Dave Dykstra
dwd at fnal.gov
Tue Apr 10 20:44:27 CEST 2018
Indeed, setting -o GSSAPITrustDns=no results in the cryptic error
gss_init_context failed
If I add -v I get a clear error:
GSS Minor Status Error Chain:
globus_gsi_gssapi: Authorization denied: The expected name for the remote host (host at oasis-login.opensciencegrid.org) does not match the authenticated name of the remote host (host at oasis-login.grid.iu.edu). This happens when the name in the host certificate does not match the information obtained from DNS and is often a DNS configuration problem.
The commented-out value in /etc/gssissh/ssh_config indicates the default
is yes. The man page in the installed version I have
(gsi-openssh-7.3p1c-1.1.osg34) still has the bad double-quoting but now
says the default is "yes".
Having this option default to "yes" does require trusting the DNS which
is somewhat questionable, but that's not nearly as bad as I had feared
-- that it wasn't checking at all.
Dave
On Tue, Apr 10, 2018 at 08:36:11PM +0300, Mischa Salle wrote:
> Hi Dave, Jim,
>
> the man-page for an old gsissh_config (from gsi-openssh-clients-5.3p1-11.el6)
> says that the default is 'no'. In any case, Dave, you could try to set
> it manually to verify that it is the cause?
>
> GSSAPITrustDns
> Set to "yes to indicate that the DNS is trusted to securely
> canonicalize" the name of the host being connected to. If "no,
> the hostname entered on the" command line will be passed
> untouched to the GSSAPI library. The default is "no". This
> option only applies to protocol version 2 connections using GSS-
> API.
>
> Mischa
>
> On Tue, Apr 10, 2018 at 05:17:30PM +0000, Jim Basney wrote:
> > Dave,
> >
> > Thanks for raising this issue. I believe it???s due to the GssapiTrustDns setting still defaulting to yes. We should change the default to no.
> >
> > -Jim
> >
> > > On Apr 10, 2018, at 12:01 PM, Dave Dykstra <dwd at fnal.gov> wrote:
> > >
> > > I just noticed on a host that we use gsi-openssh-server that the host
> > > certificate does not include a SAN of the public DNS alias of the
> > > machine (i.e. oasis-login-itb.opensciencegrid.org). Isn't that a
> > > security concern? Normally clients are supposed to verify that.
> > >
> > > Dave
> > > _______________________________________________
> > > Gt-eos mailing list
> > > Gt-eos at mailman.egi.eu
> > > http://mailman.egi.eu/mailman/listinfo/gt-eos
> >
> > _______________________________________________
> > Gt-eos mailing list
> > Gt-eos at mailman.egi.eu
> > http://mailman.egi.eu/mailman/listinfo/gt-eos
>
> --
> Nikhef Room H155
> Science Park 105 Tel. +31-20-592 5102
> 1098 XG Amsterdam Fax +31-20-592 5155
> The Netherlands Email msalle at nikhef.nl
> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
> _______________________________________________
> Gt-eos mailing list
> Gt-eos at mailman.egi.eu
> http://mailman.egi.eu/mailman/listinfo/gt-eos
More information about the Gt-eos
mailing list