From: Jim Rees <rees@umich.edu>
To: Simo Sorce <simo@redhat.com>
Cc: linux-nfs <linux-nfs@vger.kernel.org>,
Steve Dickson <steved@redhat.com>,
Jeffrey Layton <jlayton@redhat.com>
Subject: Re: [PATCH] Avoid PTR lookups when possible
Date: Tue, 2 Apr 2013 11:00:49 -0400 [thread overview]
Message-ID: <20130402150049.GA526@umich.edu> (raw)
In-Reply-To: <1364910351.2660.1243.camel@willson.li.ssimo.org>
Simo Sorce wrote:
The attached patch adds a new command line switch to rpc.gssd to avoid
PTR resolution when possible.
The current code *depends* on PTR resolution for GSSAPI authentication
and this is *bad*.
It imposes an annoying, and unnecessary, constraint on the correctness
of DNS resolution, which prevents mounts from working in networks where
the PTR record cannot be easily controlled (for example networks where
the forward name is reasonable while the PTR is set to some artificial
name based on the IP address or so that is not the canonical name or
where no PTR exist at all).
Depending on PTR resolution for GSSAPI is also very bad practice because
it opens up DNS spoofing attacks where an attacker can try to redirect a
user to the wrong server fooling mutual authentication, and induce a
user to trust improper data or disclose (by copying on the impostor
server) data that should be confidential.
What happens if it's a partially qualified domain name?
Wouldn't it be better to use something like inet_pton?
I agree that insisting on correct PTR records is a bad idea, but I don't
understand your threat model. It shouldn't be possible for an attacker to do
anything bad by redirecting the client to a spoof server. If it is possible,
we've got bigger problems. How do you think that would work exactly?
next prev parent reply other threads:[~2013-04-02 15:00 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-02 13:45 [PATCH] Avoid PTR lookups when possible Simo Sorce
2013-04-02 14:17 ` Jeff Layton
2013-04-02 15:00 ` Jim Rees [this message]
2013-04-02 16:26 ` Simo Sorce
2013-04-02 16:46 ` Jim Rees
2013-04-02 17:03 ` Simo Sorce
2013-04-02 18:39 ` Jim Rees
2013-04-02 18:48 ` Simo Sorce
2013-04-02 18:53 ` Jim Rees
2013-04-02 19:02 ` Simo Sorce
2013-04-03 13:44 ` J. Bruce Fields
2013-04-03 14:40 ` Jim Rees
2013-04-03 16:03 ` Simo Sorce
2013-04-03 17:12 ` J. Bruce Fields
2013-04-03 18:12 ` Simo Sorce
2013-04-03 18:20 ` J. Bruce Fields
2013-04-02 15:18 ` Steve Dickson
2013-04-02 15:51 ` Chuck Lever
2013-04-02 16:29 ` Simo Sorce
2013-04-02 20:21 ` Chuck Lever
2013-04-02 20:33 ` Simo Sorce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130402150049.GA526@umich.edu \
--to=rees@umich.edu \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--cc=simo@redhat.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.