|
Hello, at the beginning of the source file for the SSL
authentication ( src/condor_io/condor_auth_ssl.cpp ) you can find the following
comment: /* This next bit is just to get the fqdn
of the host we're communicating with. One would
think that remoteHost would have this, but it doesn't seem to. -Ian */ /* After some discussion with Zach, we
don't actually do any checking that involves the host
name, so whatever... const char *peerHostAddr =
getRemoteHost(); struct hostent *he =
condor_gethostbyname(peerHostAddr); dprintf(D_SECURITY,"Peer addr:
'%s'\n", peerHostAddr); const char *peerHostName =
get_full_hostname_from_hostent(
condor_gethostbyaddr(he->h_addr, sizeof he->h_addr, AF_INET), NULL); dprintf(D_SECURITY,"Got hostname for
peer: '%s'\n", peerHostName); */ Can you tell me the reason why the check for the host name
was skipped at all? What about checking only for the part of the FQDN you can get
with condor_gethostbyname? Maybe this could be controlled in the
configuration with a entry like: AUTH_SSL_TRUST_DOMAIN = ALL | DOMAIN | FQDN Where -
ALL: would be trust all
machines (like it is currently) -
DOMAIN: trust the domain like in TRUST_UID_DOMAIN
and check the host name without the domain part -
FQDN: the complete FQDN must match (for systems
that support this) How is this handled in GSI? Best regards, Carsten Ochtrup |