[Gt-eos] Possible security concern with gsissh

Dave Dykstra dwd at fnal.gov
Tue Apr 10 20:44:27 CEST 2018


Indeed, setting -o GSSAPITrustDns=no results in the cryptic error
    gss_init_context failed

If I add -v I get a clear error:
    GSS Minor Status Error Chain:
    globus_gsi_gssapi: Authorization denied: The expected name for the remote host (host at oasis-login.opensciencegrid.org) does not match the authenticated name of the remote host (host at oasis-login.grid.iu.edu). This happens when the name in the host certificate does not match the information obtained from DNS and is often a DNS configuration problem.

The commented-out value in /etc/gssissh/ssh_config indicates the default
is yes.  The man page in the installed version I have
(gsi-openssh-7.3p1c-1.1.osg34) still has the bad double-quoting but now
says the default is "yes".  

Having this option default to "yes" does require trusting the DNS which
is somewhat questionable, but that's not nearly as bad as I had feared
-- that it wasn't checking at all.

Dave

On Tue, Apr 10, 2018 at 08:36:11PM +0300, Mischa Salle wrote:
> Hi Dave, Jim,
> 
> the man-page for an old gsissh_config (from gsi-openssh-clients-5.3p1-11.el6)
> says that the default is 'no'. In any case, Dave, you could try to set
> it manually to verify that it is the cause?
> 
>  GSSAPITrustDns
> 	 Set to "yes to indicate that the DNS is trusted to securely
> 	 canonicalize" the name of the host being connected to. If "no,
> 	 the hostname entered on the" command line will be passed
> 	 untouched to the GSSAPI library.  The default is "no".  This
> 	 option only applies to protocol version 2 connections using GSS-
> 	 API.
> 
> Mischa
> 
> On Tue, Apr 10, 2018 at 05:17:30PM +0000, Jim Basney wrote:
> > Dave,
> > 
> > Thanks for raising this issue. I believe it???s due to the GssapiTrustDns setting still defaulting to yes. We should change the default to no. 
> > 
> > -Jim
> > 
> > > On Apr 10, 2018, at 12:01 PM, Dave Dykstra <dwd at fnal.gov> wrote:
> > > 
> > > I just noticed on a host that we use gsi-openssh-server that the host
> > > certificate does not include a SAN of the public DNS alias of the
> > > machine (i.e. oasis-login-itb.opensciencegrid.org).  Isn't that a
> > > security concern?  Normally clients are supposed to verify that.
> > > 
> > > Dave
> > > _______________________________________________
> > > Gt-eos mailing list
> > > Gt-eos at mailman.egi.eu
> > > http://mailman.egi.eu/mailman/listinfo/gt-eos
> > 
> > _______________________________________________
> > Gt-eos mailing list
> > Gt-eos at mailman.egi.eu
> > http://mailman.egi.eu/mailman/listinfo/gt-eos
> 
> -- 
> Nikhef                      Room  H155
> Science Park 105            Tel.  +31-20-592 5102
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>   __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..



> _______________________________________________
> Gt-eos mailing list
> Gt-eos at mailman.egi.eu
> http://mailman.egi.eu/mailman/listinfo/gt-eos



More information about the Gt-eos mailing list