Daniel Kouril raises the issue that the MyProxy C clients do a reverse DNS
lookup on the myproxy-server hostname. This method was standardized for GSI
clients in Bug 318. As discussed in Bug 1753, it enables DNS spoofing attacks.
Bug 6331 adds a GLOBUS_GSSAPI_NAME_COMPATIBILITY environment variable to
control this behavior. The MyProxy clients (both C and Java) need to be updated
to respect this new environment variable. We should open a separate bug for the
jglobus MyProxy client.

Daniel contributes the following patch which shows where the change needs to be
made. However, to retain backward compatibility and compatibility across GSI
clients, we need to set the behavior according to
GLOBUS_GSSAPI_NAME_COMPATIBILITY.

--- myproxy.c.orig    2009-07-01 17:49:22.000000000 +0200
+++ myproxy.c    2009-07-01 18:11:30.000000000 +0200
@@ -631,15 +631,9 @@
        accepted_peer_names[0] = strdup(server_dn);
    } else {
        char *fqhn, *buf;
-       fqhn = GSI_SOCKET_get_peer_hostname(attrs->gsi_socket);
-       if (!fqhn) {
-       GSI_SOCKET_get_error_string(attrs->gsi_socket, error_string,
-                       sizeof(error_string));
-       verror_put_string("Error getting name of remote party: %s\n",
-                 error_string);
-       return_value = 1;
-       goto error;
-       }
+       fqhn = attrs->pshost;
+       /* XXX probably some form of DNS canonization would be desired */
+
        buf = malloc(strlen(fqhn)+strlen("myproxy@")+1);
        sprintf(buf, "myproxy@%s", fqhn);
        accepted_peer_names[0] = buf;