Re: [Merge] ~epics-core/epics-base/+git/asLib:as-hostname into epics-base:7.0

[Andrew Johnson via Core-talk <core-talk@aps.anl.gov>]

> Can we agree that the desired final solution is defaulting to asCheckClientIP=1 ?

Yes, I'd just like there to be something like a couple of releases where people can try it out before we flip the default.

> Is it worth my arguing that any site bothering with access control would likely welcome stronger authentication?

We use AS here to prevent people from fiddling with PVs that only the experts should be modifying, such as some of our RF system IOCs where a mis-placed put might be able to destroy one of our dwindling supply of RF cavities. I'm totally guessing whether that might be possible, but I do know that our RF IOCs do use it quite extensively, as do our beamline gateways. I agree that stronger authentication is better, and that this will give us stronger authentication.

> How could this be done?

Instead of making this a binary switch, store both the HAG name and the DNS result. Implement the host comparisons using both methods simultaneously and cross-check the results. When the by-name comparison says Match but the by-DNS says No there's either someone trying to impersonate a different client machine or this could be a multiple-interface name issue. You aren't modifying the actual host comparison code at all here though, so doing this would need more extensive changes to asLib.

Similarly larger changes would be needed to allow the use of IP address ranges in the ASCF (e.g. 192.168.12.16/28 say) which I could see as being useful to some (and would need more than 16 chars to store).

-- 
https://code.launchpad.net/~epics-core/epics-base/+git/asLib/+merge/358822
Your team EPICS Core Developers is subscribed to branch epics-base:7.0.