Bug #7589
Bug #7705: Overhauling authorization system internals and interface
auth.conf and FQDNs ending in a dot
| Status: | Needs More Information | Start date: | 05/19/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  John Morton |
% Done: | 0% |
|
| Category: | - | |||
| Target version: | 2.7.x | |||
| Affected Puppet version: | Branch: | |||
| Keywords: | ||||
| Votes: | 0 |
Description
I like to use fully qualified domain names that include a trailing dot to avoid search domain spoofing. This pretty much works everywhere, except using the default auth.conf stanza for catalog access:
path ~ ^/catalog/([^/]+)$
method find
allow $1
The problem isn’t the regexp — that works a treat — it appears to be in the code that executes the allow statement. In spite of the output logs displaying the FQDN with a dot, somewhere in the processing, the dot is stripped, and so access is denied, eg:
Denying access: Forbidden request: hawea.bluewaternz.com.(192.168.2.51) access to /catalog/hawea.bluewaternz.com. [find] authenticated at line 52
I’ve worked around the problem with this hack that allows both domain names, but it’s a bit of a hack:
path ~ ^/catalog/(([^/]+?)\.?)$
method find
allow $1, $2
More details on the dot:
http://dns-sd.org./TrailingDotsInDomainNames.html http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/web-fully-qualified-domain-name.html
History
Updated by John Morton about 1 year ago
- Target version set to 2.6.x
Updated by Daniel Pittman about 1 year ago
- Status changed from Unreviewed to Needs Decision
- Assignee set to Nigel Kersten
Nigel, I have not tried to reproduced this myself, but we should absolutely support that format. The reasoning, and behaviour, are absolutely best practice, even if not too widely seen.
Updated by Nigel Kersten about 1 year ago
- Status changed from Needs Decision to Accepted
- Assignee deleted (
Nigel Kersten)
Totally. I burnt myself enough times as a junior sysadmin forgetting the trailing dot in zone files to not care :)
Updated by Nigel Kersten 11 months ago
- Target version changed from 2.6.x to 2.7.x
We’re pushing 2.6.x to a state where only critical issues are targeted at it to close off that branch.
I want to see this in 2.7.x though.
Updated by James Turnbull 7 months ago
- Status changed from Accepted to Needs More Information
- Assignee set to John Morton
John – what is the affected version of this?
Updated by John Morton 7 months ago
I can confirm this is still a problem in 2.7.5 running on Ubuntu lucid.
Updated by Daniel Sauble 4 months ago
- Parent task set to #7705