Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] How can I explicitly weaken security requirements just for condor.cs.wisc.edu ad updates?

Date: Tue, 15 Mar 2005 14:47:06 +0000
From: David McBride <dwm@xxxxxxxxxxxx>
Subject: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?

Hi,

I'm running a Condor pool with v6.7.5 with the following authentication
rules:


## Set default security requirements:
# Strong authentication and signing of messages between daemons and clients
# is required.
SEC_DEFAULT_AUTHENTICATION      = REQUIRED
SEC_DEFAULT_INTEGRITY           = REQUIRED
# Messages are not considered confidential. Encryption is optional.
SEC_DEFAULT_ENCRYPTION          = OPTIONAL
# Negotiating a secure channel is required.
SEC_DEFAULT_NEGOTIATION         = REQUIRED

## Specify what security backends may be used:
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
#SEC_DEFAULT_INTEGRITY_METHODS =        # Only MD5 is available, usage assumed.
SEC_DEFAULT_ENCRYPTION_METHODS = 3DES, BLOWFISH

# Anonymous access is sufficient for read access.
SEC_CLIENT_AUTHENTICATION_METHODS = KERBEROS, ANONYMOUS
SEC_READ_AUTHENTICATION_METHODS = KERBEROS, ANONYMOUS


Seperately, I have configured the master pool controller to send
periodic updates to condor.cs.wisc.edu.  However, my
authenticate-everything-by-default security configuration is preventing
successful updates from taking place:


3/15 14:24:53 AUTH_ERROR: Client/server realm mismatch in initial ticket request
3/15 14:24:53 AUTHENTICATE: no available authentication methods succeeded, failing!
3/15 14:24:53 ERROR: SECMAN:2004:Failed to start a session with TCP|AUTHENTICATE:1003:Failed to authenticate with any method|AUTHENTICATE:1004:Failed to authenticate using KERBEROS
3/15 14:24:53 Can't send UPDATE_COLLECTOR_AD to collector (condor.cs.wisc.edu): Failed to send UDP update command to collector


I would like to weaken my security configuration to allow
unauthenticated state updates to the condor.cs.wisc.edu server, in much
the same way that I allow anonymous access _just_ for read-only
operations.

However, after reviewing the security documentation in the manual, I
can't see any obvious way of reducing the minimum security level of the
off-site connection without also affecting other purely local actions.

(I assume that the state update command being sent to the Condor master
falls under the SEC_WRITE_* class of configuration options; naturally, I
cannot simply allow anonymous authentication for all WRITE operations
without also compromising local security.)

Do you have any suggestions on how I could accomplish this?

Cheers,
David
-- 
David McBride <dwm@xxxxxxxxxxxx>
Department of Computing, Imperial College, London

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?
  - From: Zachary Miller

Prev by Date: [Condor-users] My jobs do not run
Next by Date: Re: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?
Previous by thread: Re: [Condor-users] My jobs do not run
Next by thread: Re: [Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

[Condor-users] How can I explicitly weaken security requirements *just* for condor.cs.wisc.edu ad updates?

[Condor-users] How can I explicitly weaken security requirements just for condor.cs.wisc.edu ad updates?