Networker

Re: [Networker] 7.1.3 client DNS checks and multihomed clients

2005-08-21 21:51:13
Subject: Re: [Networker] 7.1.3 client DNS checks and multihomed clients
From: Tim Mooney <mooney AT DOGBERT.CC.NDSU.NODAK DOT EDU>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Sun, 21 Aug 2005 20:47:21 -0500
In regard to: Re: [Networker] 7.1.3 client DNS checks and multihomed...:

Contact Legato about this "feature".  They claim it is by design, and
for "security".  All clients after 7.1.1 (7.1.2+) do their own hostname
mangling after a gethostname() call is returned.  They take the short
name of the machine, and attempt to use that as the authentication name
for finding which client the server is associated with.

Wow, so it's even worse that I suspected.  It has nothing to do with the
fact that we're using a secondary network for backups or that we use mixed
case in our DNS domain name.

Thank you so much for your reply!  Although I'm furious with Legato right
now, it's at least nice to know that someone else has seen the same thing.

I'm appalled at the thinking that went into this misfeature, and I'll
be communicating that to Legato this week.

I had proposed our own workaround wich will work 100% of the time and
with any version of the client. It would use a custom library to
override the gethostname() function to return a custom value when
starting NetWorker with the library in the LD_PRELOAD environmental
variable.  This allowed us to create a file in /etc and change the name
that NetWorker sees on the fly.

That's borderline brilliant!  I may go that route while I'm (almost
certainly) fighting with Legato for the next two weeks to a month.
Thanks for the great suggestion -- I hadn't thought of that.  If there's
a cheap way to hash the fully qualified hostname (which I could get
from uname(2)), I might be able to get away without even needing a file
in /etc, e.g. taking the unique hostname like

        imap1.ndsu.NoDak.edu

and running it through an md5sum or something similar, to generate a
hash, which would be what would need to be in the "Aliases" list for
the client.

We have openssl installed on the vast majority of our boxes, maybe
I'll take a look at how easy it is to hash a string using some of
the routines in libssl.

Legato however was unreceptive to this workaround and refused to support
our environments if this was used, and is now coding modified versions
of save and probly savefs for us to revert back to the old
authentication ritual.

Which is great, but I'm sure that the binaries they give you won't have
the security fixes in them.

Have fun banging your head against the wall while communicating the
problem to them, it took us about 2 weeks for them to figure out the
workaround I proposed, and I still don't think they fully get it.
Having to code custom client binaries for every version we want to run,
and then to have to test/qa/and support them just doesn't make sense to
me.

My reccomendation would be to run 7.1.1 on your clients, if you can, and
pray to the gods of backup that they get everything fixed by the time
8.x comes out and the 7.x series gets EOL'd.

If there were a 7.1.1 version that had the security fix in it, I would
consider it, but since there isn't I could just as well go back to 6.1.4
(which is what I'm going to have to do in the interim, and look at some
host-based firewalls to ward against the security issues.)

Have fun!

Jason

PS.  Let me know if you want the code to override the gethostname()
function anyway.  Its extrealy simple, and probly ridden with bugs, but
it gets the job done.

I do want the code, bugs and all!  It will probably save me a whole bunch
of time down the road.

Thanks again for your response, it was extremely helpful!

Tim
--
Tim Mooney                              mooney AT dogbert.cc.ndsu.NoDak DOT edu
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu 
if you have any problems
wit this list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER