Status of Bugzilla #1153
Jefferson Ogata
Jefferson.Ogata at noaa.gov
Wed Feb 22 12:27:39 EST 2006
On 02/21/2006 11:10 AM, Carson Gaspar wrote:
> --On Tuesday, February 21, 2006 10:31 AM -0500 Jefferson Ogata
> <Jefferson.Ogata at noaa.gov> wrote:
>>On 02/21/2006 10:10 AM, Carson Gaspar wrote:
>>>No. gethostname() needs to return the (or a) FQDN of the server.
>>>Anything else is just broken and begging for trouble. This is sysadmin
>>>101.
>>
>>Not everyone agrees with that opinion.
>
> I've never met anyone who disagreed who had a sane reason not use the FQDN
> (we're still using NIS for hostnames is not sane...). Would you like to be
> the first? I'd be extremely interested in your reasoning why the FQDN isn't
> the Right Thing To DO.
First of all, if you think DNS is fundamentally any more secure than
NIS, you're unexpectedly naive. I've met you, Carson, so I doubt you
really think that, but here you are pooh-poohing NIS while touting a DNS
FQDN as somehow more precious and perfect. I'm not sure I understand.
As for the Right Thing to DO, I go with what's appropriate in context.
If the system is exposed to the Internet I might go with FQDN. If it's
on a private network with split DNS and only one DNS zone in view, I
might go with short name. I prefer short names in prompts, window
titles, and the like, so if there's no compelling reason for using an
FQDN, I may well go with short name. That depends on the OS as well.
Conversely, you might be asked to show why in your reasoning FQDN is
magically blessed and the One True Way for gethostname(). :^)
>>DNS is just a namespace, after all. It isn't the be-all, end-all of
>>namespaces, especially given how easy it is to spoof. Consider that
>>sysadmin 240. :^)
>
> True, but he's using DNS as his namespace internally, and complaining about
> ambiguous shortname->FQDN mapping (and hasn't put "shortname." into DNS, so
> he's not doing weird advanced things). "Doctor, it hurts when I do this!"
> "Then don't do it." And what other namespace is deployed (ignoring NIS,
> which is just evil and wrong)?
Your other remarks about the particular setup under consideration may be
true. What I don't follow is what the objection to sshing to target
hosts is. I see no performance degradation in X11 over ssh, and over low
bandwidth connections I'll see performance improvements thanks to
compression. On the other hand, I have written programs to capture
keystrokes from monitored X11 connections, and I wouldn't run X over a
cleartext connection under any circumstance.
Other namespaces: well /etc/hosts is the obvious one. Less obvious,
LDAP, which, over SSL, is substantially more secure than DNS. AFAIK LDAP
DNs are not widely supported by IP applications, including ssh, though.
Widely deployed, though of much broader scope and not so applicable to
this context: ASN.1.
Someday we'll all be running DNSSEC and things will be different.
>>One thing I don't understand: my experience is that ssh uses
>>localhost:x.0 for the DISPLAY variable. Am I on crack?
>
> Read your sshd config file - you have X11UseLocalhost set.
Indeed I do. Forgot about that.
--
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
More information about the openssh-unix-dev
mailing list