Well, that is probably true. Presumably this is for outgoing connections and all internal IP addresses are resolved to a single IP address with a specific port number. So, indeed there would be no way to catch a man-in-the-middle attack which sss tries to catch. I’d still like to see how all this plays out and whether or not the client is actually sending its host name (I assume not but that may be immaterial here). I really don’t want a global option to turn this checking off as it’s an important security test. I suppose we can turn it off selectively for certain things known to be NAT boxes but that may make it a bear to maintain for the site admin. Alternatively, we could allow a specific key to skip the test, which would be the least egregious mechanism as you are willing to take the risk. That kind of change is rather involved as numerous things need to change (most notably the documentation).
Andy
From: apeters1971
Sent: Tuesday, October 14, 2014 12:38 PM
To: xrootd/xrootd
Cc: Andrew Hanushevsky
Subject: Re: [xrootd] sss security behind NAT (#147)
I will verify tomorrow, but intentionally yes. In any case, whatever you compare, neither the hostname nor the IP address matches in that case the connection you can see on server side, so I wonder if one can check that at all ... or do I miss something ?
—
Reply to this email directly or view it on GitHub.
—
Reply to this email directly or view it on GitHub.
{"@context":"http://schema.org","@type":"EmailMessage","description":"View this Issue on GitHub","action":{"@type":"ViewAction","url":"https://github.com/xrootd/xrootd/issues/147#issuecomment-59121732","name":"View Issue"}}
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1
