[Condor-users] Kerberos security questions...

["Jonathan D. Proulx" <jon@xxxxxxxxxxxxx>]

Hi,

I've been happily running a small pool for a while using (requiring)
Kerberos for authentication.  The pool currently consists of compute
servers and a few select workstations as proofs of concept.

The workstation demo has gone so well, we would like to expand it to
all the workstations in the lab.

Where I run into difficulty is that workstations don't get keytabs
installed by default (as we've come up with no secure automated way to
do this).  For the demo systems this wasn't an issue but it isn't
automated enough to allow us to make condor part of the default
automated install.

>From a policy level I'd be fine with trusting hosts/deamons based on
IP, but I really want users authenticated with kerberos.  Though I
don't see a way to make this distinction. 

Is there a way to use use a single keytab for all of them?  I'm
thinking not since Condor seems to append /the.host.name@xxxxxxxx to
the value of CONDOR_SERVER_PRINCIPAL.  If it is possible what is the
worst someone can do with a compromise of this key, since that's a
really poor security model :)

How have other people solved this issue?

Thanks,
-Jon