[Swift-devel] Re: Problem with incorrect host cert DN in coaster GSI authentication

Mihael Hategan hategan at mcs.anl.gov
Thu Apr 29 11:18:08 CDT 2010 

On Thu, 2010-04-29 at 10:57 -0500, Michael Wilde wrote:
> OK, thanks. Its not clear to me exactly whats happening, but I get the
> high-level idea that it relates to trust relationships that get broken
> because of differences in DN settings and/or interpretations.

No. It's something that someone while writing up GSI thought was going
to make things easier. Well, it doesn't and it makes things unsecure.
But once in, it never changed.

Normally, when you connect to bankofamerica.com, the browser resolves
that name to an IP, contacts that IP, gets a certificate and checks the
DN against the name you typed.

In GSI, when you connect to bankofamerica.com, the browser resolves that
name to an IP, contacts that IP, gets a certificate, does a
reverse-resolution on that IP and then checks the DN of the cert against
the reverse-resolved name of the IP. That reverse-resolved name may not
be bankofamerica.com.

This was done to provide easy (for the sysadmin) ways of having multiple
DNS entries be used with the same machine. The problem is that it also
fails for some scenarios (like the one we have). Not only that, it is an
abomination in terms of security since impersonating a service can now
be done with DNS hacks instead of the more difficult schemes involving
cracking RSA/DSA.

> 
> Yi, can you try gt2:pbs?
> 
> Mihael, at some point can you post a note explaining the issues?
> 
> I think we need to document or automate/fix the various interactions between coasters and GSI:
> 
> - this new issue/restriction with gt2:gt2:pbs
> - the GSI needs and user config procedures for ssh:pbs
> 
> Thanks,
> 
> Mike
> 
> ----- "Mihael Hategan" <hategan at mcs.anl.gov> wrote:
> 
> > The host cert isn't incorrect. It's GSI with its silly reverse lookup
> > that causes things to fail.
> > 
> > gt2:pbs should work (assuming the pbs provider does).
> > 
> > On Wed, 2010-04-28 at 23:54 -0500, Michael Wilde wrote:
> > > Mihael,
> > > 
> > > Can you post an update on Yi's problem in getting coasters running
> > over Nimbus/AWS?
> > > Easy to fix or hard?
> > > 
> > > Should he try SSH for the coaster launch? (jobmanager=ssh:pbs ???)
> > > 
> > > Thanks,
> > > 
> > > Mike
>

More information about the Swift-devel mailing list