[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-users] Mounting network resources in Windows


Thanks for the feedback.

We are using Condor 6.8.2.  The techniques I documented in my earlier
message were because I could not do network mounts using
more-straightforward methods.

My technique is not secure from a hard-core hacker, but neither is my
network.  I know this for a fact because auditors from the DOE cracked
my password in a test attack a year ago.  They used a brute-force
technique that will crack *any* password up to 15 characters long.  The
"security" my system provides is more of a "keep honest people honest"
or "don't make it easy" kind of thing.  My Condor method is certainly
more secure than FTP and so, as long as DOE allows FTP, my stuff is not
the weak link in the chain.

As I said in my earlier message, I inspected the executable file in hex
mode and my password is in the middle of a bunch of junk and no one
would be able to pick it out without knowing exactly where to look in
the file for it.  Because each user would change the "junk" that
surrounds the password, the location of my password in my executable
would be different than it would be for someone else.

We are using Condor 6.8.2, but I couldn't find anything for mounting
network disks in the on-line manual that was actually secure except
maybe the stuff about using the "contrib module from Bristol."  The
instructions were over 170 lines long and seemed anything but easy.  I
am referring to Section 6.2.7 of the manual.  

I believe we are using the credential-passing system, but it doesn't
seem to help with network resources.  I used the condor_store_cred tool
if that's what you are talking about.  Maybe we are not using it
correctly, but if it's designed to work with network mounts, I would
appreciate it if the developers would mention how to do it in Section
6.2.7.  Why would they waste time telling people to use clear-text
passwords if there were an easy way to do it securely?  If there is a
way, I'd like to know about it.

I do not have administrative rights on my co-worker's PCs and found that
the net command did not work until I included it in the job.

Thanks again!

Marshall L. Buhl Jr.                       
Voice: +1 (303) 384-6914          
Fax: +1 (303) 384-6901             

-----Original Message-----
From: condor-users-bounces@xxxxxxxxxxx
[mailto:condor-users-bounces@xxxxxxxxxxx] On Behalf Of Matt Hope
Sent: Saturday, January 20, 2007 3:59 AM
To: Condor-Users Mail List
Subject: Re: [Condor-users] Mounting network resources in Windows

On 1/19/07, Buhl, Marshall <Marshall_Buhl@xxxxxxxx> wrote:
> Hi,
> I thought I would share a fairly simple, and reasonably secure,
> technique

Whilst not wanting to denigrate your efforts nor discourage sharing
them with the community I should point out that this security through
obscurity is in not significantly more secure than passing them as
plain text and users should not kid themselves that this is the case.

To evesdroppers this is roughly equivalent to putting bit of
(consistent) junk in between the user/password components which you
could do in the batch file if you wanted. In fact based on how many
compiled programs operate the string literals could all be relocated
into contiguous locations thus rendering even that step pointless.

If you believe the network your farm operates on is not secure from
snooping and this is a worry then you should move to 6.8 with genuine
encryption on the creddential passing which allows running as the
submitting user or comparable equivalent.

As a side note there is no need to transfer the net executable so long
as the executing condor user has rights to run the net command in the
system directory. Win2003 does not allow this by default for low
priviledge users. Explictly adding permission to the users that condor
executes as without runas behaviour is a sensible solution. If you use
runas then it is assumed that the users have the relevant permissions
if you want them to. Obviously if you are executing on machines which
are cycle stealing where you do not have admin control in the same way
then passing the executable is a solution.

Condor-users mailing list
To unsubscribe, send a message to condor-users-request@xxxxxxxxxxx with
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at either