Experimental Physics and
Industrial Control System
| 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024 |
| <== Date ==> | <== Thread ==> |
|---|
| Subject: | Re: EPICS Codeathon: March 8 to March 12 |
| From: | Ben Franksen via Tech-talk <tech-talk at aps.anl.gov> |
| To: | "Johnson, Andrew N." <anj at anl.gov> |
| Cc: | tech-talk at aps.anl.gov |
| Date: | Thu, 4 Feb 2021 22:33:31 +0100 |
Am 04.02.21 um 21:49 schrieb Johnson, Andrew N.: > On Feb 4, 2021, at 1:40 PM, Ben Franksen via Tech-talk > <tech-talk at aps.anl.gov <mailto:tech-talk at aps.anl.gov>> wrote: >> >> Am 01.02.21 um 17:05 schrieb Michael Davidsaver: >>> >>> Are you thinking about projects for yourself, or others? >> >> I was vaguely thinking of a colleague who has made some patches for base >> (enhance CA security by checking IP adresses) which could be brought up >> to shape for discussion/merging. I've actually no idea if he would want >> to participate though. >> > > We already have support for using IP addresses in Access Security files, > that went into 7.0.3.1: >> >> >> Channel Access Security: Check Hostname Against DNS >> >> Host names given in a |HAG| entry of an IOC's Access Security >> Configuration File (ACF) have to date been compared against the >> hostname provided by the CA client at connection time, which may or >> may not be the actual name of that client. This allows rogue clients >> to pretend to be a different host, and the IOC would believe them. >> >> An option is now available to cause an IOC to ask its operating system >> to look up the IP address of any hostnames listed in its ACF (which >> will normally be done using the DNS or the |/etc/hosts| file). The IOC >> will then compare the resulting IP address against the client's actual >> IP address when checking access permissions at connection time. This >> name resolution is performed at ACF file load time, which has a few >> consequences: >> >> 1. >> >> If the DNS is slow when the names are resolved this will delay the >> process of loading the ACF file. >> >> 2. >> >> If a host name cannot be resolved the IOC will proceed, but this >> host name will never be matched. >> >> 3. >> >> Any changes in the hostname to IP address mapping will not be >> picked up by the IOC unless and until the ACF file gets reloaded. >> >> Optionally, IP addresses may be added instead of, or in addition to, >> host names in the ACF file. >> >> This feature can be enabled before |iocInit| with >> >> |var("asCheckClientIP",1) | >> >> or with the VxWorks target shell use >> >> |asCheckClientIP = 1| > At one point we talked about making that the default but I’m not sure if > we’ve done that yet. > > Note that I’m not trying to dissuade you or him from taking part at all, > just trying to avoid anyone wasting time reinventing the wheel. Thanks, I wasn't aware of that change. The development I talked about differs from the above by extending the syntax of the CA security file with "IP address groups" independently from the host access group, instead of overloading the existing HAG. IMHO the additions we proposed and implemented back then are superior. They were presented more than a year ago, though I can't remember the details, whether it was an launchpad or github or in some other form (email?). Regardless of that, the existing feature is useless to us because our soft IOCs actually /do/ fake their host name. This was deliberately done (using unshare -u) so we can use the a generic user name and yet allow servers to distinguish them for CA security. This is very simple to implement and lets us treat soft and hard IOCs in exactly the same way. It makes administration of the machines that host IOCs (and their NFS servers) a lot simpler. For instance, developers can add new IOCs without having to request addition of a new user from admins, we can easily move IOCs between machines etc etc. Having "IP address groups" in addition to HAGs would be a nice addition to make our CA security more robust. I have talked about this on core-talk or tech-talk before. Of course everyone is free to do this as they please but I would be glad if we could continue to do things in this way and not be hampered by a mandatory DNS check. So, please keep the default as it is. (I hope it is not inappropriate that I cc'ed tech-talk.) Cheers Ben -- I would rather have questions that cannot be answered, than answers that cannot be questioned. -- Richard Feynman
Attachment:
signature.asc
Description: OpenPGP digital signature
- References:
- EPICS Codeathon: March 8 to March 12 Hartman, Steven via Tech-talk
- Re: EPICS Codeathon: March 8 to March 12 Ben Franksen via Tech-talk
- Re: EPICS Codeathon: March 8 to March 12 Michael Davidsaver via Tech-talk
- Re: EPICS Codeathon: March 8 to March 12 Ben Franksen via Tech-talk
- Navigate by Date:
- Prev: Re: combining long strings Lang, Keenan C. via Tech-talk
- Next: RE: Autosave PVs showing up as INVALID(UDF_ALARM) Iain Marcuson via Tech-talk
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024
- Navigate by Thread:
- Prev: Re: EPICS Codeathon: March 8 to March 12 Ben Franksen via Tech-talk
- Next: Re: [EXTERNAL] EPICS Codeathon: March 8 to March 12 Hartman, Steven via Tech-talk
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 <2021> 2022 2023 2024
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·