mike coyne wrote:
There seems to be problem with getting mutual auth to work for the
globus service gssklog in the client application gssklog. the call to
gss_init_sec_context() fails comparing the returned CN with the expected
service/fqdn. After some tracing i found if i added the service gssklog
to the globus_i_gsi_gssapi_get_hostname() function ( see below ) the
mutual auth worked as expected. This seemed to be a bit extreme to get
the mutual auth to work for a generic service as the only services
listed in the function were host/ and ftp/. I am wondering if i may have
missed something?
Yes I think you have missed something. The gssklog README says:
With GSI the server's credential is a server certificate with
CN=gssklog/hostname
and a matching private key. These are defaulted to:
/etc/grid-security/afscert.pem
and /etc/grid-security/afskey.pem. The trusted certificates directory:
/etc/grid-security/certificates is also needed. These can be specified via
the -C -K and -D options respecively.
It sounds like you are trying to use a server certificate with CN=hostname.
The gssklogd should have its own certificate with CN=gssklog/hostname.
The GSI code would treat CN=hostname as CN=host/hostname or CN=ftp/hostname
much the same as Kerberized FTP would use either host/hostname of ftp/hostname.
i.e. both of these services are login or access to the file systems of a host.
But the gssklog does not need to be run as root, and should not be using root's
certificate. It should have its own certificate and key.
I have not looked at the newer versions of Globus in years, so don't know what
changes
have been made to the GSI. But suspect if you used the CN=gssklog/hostname
things should
work without any changes.
Mike Coyne
-------------cut-line---------------
Index:
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c
===================================================================
---
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c
(revision 540)
+++
trunk/gt4.2/source-trees/gsi/gssapi/source/library/globus_i_gsi_gss_utils.c
(revision 613)
@@ -2530,7 +2530,12 @@
{
length = name_entry->value->length;
data = name_entry->value->data;
- if ( length > 5 && !strncasecmp((char *) data, "host/", 5))
+ if ( length > 8 && !strncasecmp((char *) data, "gssklog/", 8))
+ {
+ length -= 8;
+ data += 8;
+ }
+ else if ( length > 5 && !strncasecmp((char *) data,
"host/", 5))
{
length -= 5;
data += 5;
-------------cut-line---------------
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
