Re: [HTCondor-users] SciTokens auth failing via private network

[Jaime Frey <jfrey@xxxxxxxxxxx>]

It looks like there is a bug when using SSL authentication and the PRIVATE_NETWORK_NAME configuration parameter. As a result, the client doesnât have the daemonâs hostname at the time it wants to verify the SSL host certificate.

We have a proposed fix, which we plan to include in future releases:

https://opensciencegrid.atlassian.net/browse/HTCONDOR-1713

 - Jaime

On Apr 11, 2023, at 12:48 PM, Maarten Litmaath <Maarten.Litmaath@xxxxxxx> wrote:

Hi all,

there is a grid site with a CE that works with SciTokens via the internet,

but fails when probed from a local client host via a private network,

while that same host can probe remote CEs OK with SciTokens.

It also can submit jobs to the CE using GSI.

The remarkable observation is that SciTokens first appears to work OK,

as the correct user mapping is determined, but then it finally fails on

another (?) certificate check:

$ _condor_TOOL_DEBUG=D_SECURITY:2 \

 _condor_SEC_CLIENT_AUTHENTICATION_METHODS=SCITOKENS \

  BEARER_TOKEN_FILE=the-token-file condor_ping -debug \

  -pool the-CE:9619 -name the_CE -type schedd write

[...]

04/11/23 18:04:32 SECMAN: received post-auth classad:

ReturnCode = "AUTHORIZED"

[...]

User = "the-expected-user@xxxxxxxxxxxxxxxxxx"

[...]

04/11/23 18:04:32 SECMAN: policy to be cached:

AuthMethods = "SCITOKENS"

[...]

MyRemoteUserName = "the-expected-user@xxxxxxxxxxxxxxxxxx"

[...]

04/11/23 18:04:32 SECMAN: new session, doing initial authentication.

04/11/23 18:04:32 SECMAN: authenticating RIGHT NOW.

04/11/23 18:04:32 SECMAN: AuthMethodsList: SCITOKENS

04/11/23 18:04:32 SECMAN: Auth methods: SCITOKENS

[...]

04/11/23 18:04:32 SSL Auth: post_connection_check.

04/11/23 18:04:32 SSL_get_peer_certificate returned data.

04/11/23 18:04:32 No SSL host name specified.

04/11/23 18:04:32 SSL Auth: Error on check of peer certificate

04/11/23 18:04:32 SSL Auth: application verification failure

04/11/23 18:04:32 Client performs one last exchange of messages.

04/11/23 18:04:32 SSL Auth: SSL Authentication failed

04/11/23 18:04:32 SSL Auth: Receive message.

04/11/23 18:04:32 Received message (4).

04/11/23 18:04:32 Send message (3).

04/11/23 18:04:32 AUTHENTICATE: method 4096 (SCITOKENS) failed.

[...]

What might be done about this matter?

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/