[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Encrypted X.509 private key support in Condor


Condor doesn't support encrypted private keys; instead of prompting you
for a password, condor_status should just warn you that we don't support
encrypted keys and quit.

The reason for this is the problem of distributing the passwords in a
way that's more secure than keeping unencrypted keys. The GSI
authentication method (not Windows) uses limited-term proxy certificates
to solve this problem, and Condor may adopt a similar mechanism for the
SSL authentication method.


On Wed, Aug 29, 2007 at 04:10:35PM +0200, Antonio Garcia Dominguez wrote:
> Hello everyone,
> I've been trying out SSL authentication/encryption/integrity, and after some work I've got it to work just fine across my 2-node Windows+Linux pool (Linux master, Windows submit/execute node).
> However, I haven't been able to use encrypted private keys: when I've tried to use them by setting AUTH_SSL_CLIENT_KEYFILE and AUTH_SSL_SERVER_KEYFILE, and then tried running condor_status, I have indeed been asked the PEM password, but if I later look at the collector log, I get this:
> 8/18 00:52:19 DC_AUTHENTICATE: received DC_AUTHENTICATE from <>
> 8/18 00:52:19 DC_AUTHENTICATE: generating 3DES key for session cmaster:4933:1187391139:35...
> 8/18 00:52:19 SECMAN: new session, doing initial authentication.
> 8/18 00:52:19 HANDSHAKE: in handshake(my_methods = 'SSL,FS')
> 8/18 00:52:19 HANDSHAKE: handshake() - i am the server
> 8/18 00:52:19 HANDSHAKE: client sent (methods == 260)
> 8/18 00:52:19 HANDSHAKE: i picked (method == 256)
> 8/18 00:52:19 HANDSHAKE: client received (method == 256)
> 8/18 00:52:19 CAFILE:     '/etc/ssl/certs/demoCA.pem'
> 8/18 00:52:19 CERTFILE:   '/etc/apache2/ssl/server.crt'
> 8/18 00:52:19 KEYFILE:    '/etc/apache2/ssl/server_3des.key'
> 8/18 00:52:19 Error loading private key from file
> 8/18 00:52:19 Error initializing server security context
> 8/18 00:52:19 Error creating SSL context
> 8/18 00:52:21 SSL Authentication fails, terminating
> 8/18 00:52:21 AUTHENTICATE: method 256 (SSL) failed.
> So far as I can see, Condor is somehow not able to read the encrypted private key. In fact, if I switch to an unencrypted one, it works just fine. I don't like very much the idea of having unencrypted files around: though maybe I could restrict read permissions, the data is still in the open in the case of a security breach.
> Has anyone had any success on this part? I've tried using 3DES and DES encrypted RSA private keys. I'd be very happy to provide more information in case it's necessary.
> On a related note: is there any other way to provide Condor with the PEM password than dumping it through the condor_* command line tools' stdin? I'd like to let programs send jobs and the like, offering a sort of password dialog.
> Thank you in advance,
> Antonio Garcia
> _______________________________________________
> Condor-users mailing list
> To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/condor-users
> The archives can be found at: 
> https://lists.cs.wisc.edu/archive/condor-users/