sss and IP/hostname verification #1486
Comments
|
Actually, that facility already exists but is not described in the way you have envisioned. Not checking the ip/host name makes the token forwardable (that's the primary objective in the explanation). You can already make tokens forwardable by ending the key name with a '+'; see https://xrootd.slac.stanford.edu/doc/dev50/sec_config.htm#_Toc64492248 especially note 6. The question is whether you want an option to allow this only if the sss token was transmitted using TLS which makes it much harder to steal. It's sort of a toss up because I could have stolen the token off a non-TLS connection and then simply presented it immediately later using TLS which would then make it accepted. So, not much of an improvement in security. In any case, your immediate problem is solvable by using generic forwardable tokens. Let me know. |
|
I will try the forwardable token option. What is the version of client and server support this feature? |
|
It should be supported several major releases back. However, it might not
work reliably until the 5.x series if you play games with key generation
which CERN is apt to do (we fixed that in 5.0).
…On Tue, 27 Jul 2021, Wei Yang wrote:
I will try the forwardable token option. What is the version of client and server support this feature?
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#1486 (comment)
|
|
I am closing this as the issue was resolved. |
Is it possible to disable "sss" ip/hostname verification on the serve side, and/or if a 'sss' key doesn't have IP and/or hostname inside?
The text was updated successfully, but these errors were encountered: