Re: [HTCondor-users] mixing versions and authentication issues

["Bockelman, Brian" <BBockelman@xxxxxxxxxxxxx>]

Hi Rita,

Ah - thanks for the note about one component running 8.x.  I understand what you're doing now.

You're probably hitting an issue with the handshaking between old and new versions - particularly, the new side is trying to use a modern crypto method (AES-GCM) while the other side doesn't understand it.  Try setting:

SEC_DEFAULT_CRYPTO_METHODS=BLOWFISH,3DES

Those should be supported on both sides.

Brian

> On Jun 23, 2023, at 10:21 AM, Rita <rmorgan466@xxxxxxxxx> wrote:
> 
> The scheduler log I see, 
> Condor_Crypy_AESGCM::decrypt: ERROR: input was too small
> IO: Failed to unwrap the packet
> Response problem from startd when requesting claim ....
> 
> 
> On Fri, Jun 23, 2023 at 11:19âAM Rita <rmorgan466@xxxxxxxxx> wrote:
> Thanks for your responses. I got the instructions from here: https://wasteofserver.com/htcondor-install-and-configure-as-non-root/
> 
> I can't use ID tokens because my Central server is running 8.x  and I don't think I can upgrade that now as we have many users and jobs. I am setting up a new execute node, which is 10.x. 
> 
> I added AUTH_SSL_SERVER_{CAFILE,CERTFILE,KEYFILE} in both server (collector) and client (new server, running 10.x)
> I enabled debugging.  Seems that works...
> 
> Now, however when I condor_submit  and in my requirement file I have a requirement for the new host.
> 
> 
> 
> 
> 
> On Fri, Jun 23, 2023 at 9:31âAM Bockelman, Brian <BBockelman@xxxxxxxxxxxxx> wrote:
> Hi Rita, 
> 
> A few thoughts:
> 
> 1.  You can increase the log level.  e.g., ALL_DEBUG=D_SECURITY:2 is where I usually start.
> 2.  HTCondor sets the server and client settings separately.  You probably need an AUTH_SSL_SERVER_* equivalent to the client settings below.
> 3.  Your "openssl req" command looks valid for a self-signed certificate but it's not clear if you're setting the CA bits as well.  I'm unsure if this will cause errors (never tried that approach personally).
> 4.  Once the certificate *authenticates*, you may need to map it to an identity (such as "condor@xxxxxxxxxxxx") and adjust ALLOW_* settings.
> 
> The setup can certainly be made to work -- but some of the other techniques (particularly, IDTOKENS) might be simpler to setup if that's a concern of yours.
> 
> Brian
> 
>> On Jun 23, 2023, at 7:50 AM, Rita <rmorgan466@xxxxxxxxx> wrote:
>> 
>> I will go with 10.x .I will use ssl authentication 
>> I generate my certs/keys like this.
>> 
>> openssl req -x509 -newkey rsa:1024 -sha256 -days 365 -nodes -keyout node.key -out node.crt -subj '/CN=condor pool'
>> 
>> I then copy the node.key and node.crt to all my nodes. I then put 
>> 
>> AUTH_SSL_CLIENT_CAFILE = /usr/local/condor/node.crt
>> AUTH_SSL_CLIENT_CERTFILE = /usr/local/condor/node.crt
>> AUTH_SSL_CLIENT_KEYFILE = /usr/local/condor/node.key
>> 
>> I believe this should work.  Howeer, I am getting 
>> Failed to authenticate using SSL. Is there a way to get more verbose messages?
>> 
>> 
>> On Mon, Apr 24, 2023 at 2:51âPM Greg Thain via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:
>> 
>> On 4/19/2023 4:20 PM, Rita wrote:
>> > even if I run 8.8 on both collector and startd node I get this. I 
>> > dont understand.
>> >
>> 
>> Hi Rita:
>> 
>> Would it be possible to upgrade both sides to 10.x?  8.8 hasn't been 
>> supported for a while, and I don't think that it had IDTokens support.
>> 
>> -greg
>> 
>> _______________________________________________
>> HTCondor-users mailing list
>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
>> subject: Unsubscribe
>> You can also unsubscribe by visiting
>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>> 
>> The archives can be found at:
>> https://lists.cs.wisc.edu/archive/htcondor-users/ 
>> 
>> -- 
>> --- Get your facts first, then you can distort them as you please.--
>> _______________________________________________
>> HTCondor-users mailing list
>> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
>> subject: Unsubscribe
>> You can also unsubscribe by visiting
>> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>> 
>> The archives can be found at:
>> https://lists.cs.wisc.edu/archive/htcondor-users/
> 
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
> 
> 
> -- 
> --- Get your facts first, then you can distort them as you please.--
> 
> 
> -- 
> --- Get your facts first, then you can distort them as you please.--
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/