[OpenAFS-devel] gssklog and globus 4.2.1 gssapi

Douglas E. Engert deengert@anl.gov
Thu, 11 Feb 2010 13:18:34 -0600 

mike coyne wrote:
> There seems to be problem with getting mutual auth to work for the
> globus service gssklog in the client application gssklog. the call to
> gss_init_sec_context() fails comparing the returned CN with the expected
> service/fqdn.  After some tracing i found if i added the service gssklog
> to the globus_i_gsi_gssapi_get_hostname() function ( see below ) the
> mutual auth worked as expected. This seemed to be a bit extreme to get
> the mutual auth to work for a generic service as the only services
> listed in the function were host/ and ftp/. I am wondering if i may have
> missed something? 


Yes I think you have missed something. The gssklog README says:
   With GSI the server's credential is a server certificate with CN=gssklog/hostname
   and a matching private key. These are defaulted to: /etc/grid-security/afscert.pem
   and /etc/grid-security/afskey.pem.  The trusted certificates directory:
   /etc/grid-security/certificates  is also needed. These can be specified via
   the -C -K and -D options respecively.

It sounds like you are trying to use a server certificate with CN=hostname.
The gssklogd should have its own certificate with CN=gssklog/hostname.

The GSI code would treat CN=hostname as CN=host/hostname or CN=ftp/hostname
much  the same as Kerberized FTP would use either host/hostname of ftp/hostname.
i.e. both of these services are login or access to the file systems of a host.


But the gssklog does not need to be run as root, and should not be using root's
certificate. It should have its own certificate and key.

I have not looked at the newer versions of Globus in years, so don't know what changes
have been made to the GSI. But suspect if you used the CN=gssklog/hostname things should
work without any changes.


> 
> Mike Coyne 
> 
> -------------cut-line---------------
> Index:
> trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c
> ===================================================================
> ---
> trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c (revision 540)
> +++
> trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c (revision 613)
> @@ -2530,7 +2530,12 @@
>          {
>              length = name_entry->value->length;
>              data = name_entry->value->data;
> -            if ( length > 5 && !strncasecmp((char *) data, "host/", 5))
> +	     if ( length > 8 && !strncasecmp((char *) data, "gssklog/", 8))
> +            {
> +                length -= 8;
> +                data += 8;
> +            }
> +            else  if ( length > 5 && !strncasecmp((char *) data,
> "host/", 5))
>              {
>                  length -= 5;
>                  data += 5;
> -------------cut-line---------------
> 
> 
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444