Re: [Condor-users] GSI authentication details

[Zachary Miller <zmiller@xxxxxxxxxxx>]

On Wed, Sep 26, 2007 at 02:36:11PM -0500, Scott Koranda wrote:
> Hi,
> 
> The Condor 6.9.4 manual in section 3.6.3.1 implies that the
> GSI_DAEMON_CERT is a "host" cert:
> 
> GSI_DAEMON_CERT           = $(GSI_DAEMON_DIRECTORY)/hostcert.pem
> 
> By "host" cert here I mean a cert ending with CN=FQDN or
> CN=host/FQDN.
> 
> Is there any such requirement or can the certificate used be
> any valid certificate? Are there any restrictions on the DN?

normally, user certs are password protected, and host certs are protected via
filesystem permissions.

so in this context, the only requirement for GSI_DAEMON_CERT/GSI_DAEMON_KEY is
that the private key file is not encrypted with a password.  in fact, you can
even use a user proxy as the host cert, since the user proxy is not pasword
protected.


> Also, a common problem seen with GSI and "host" certificates
> when used on machines that have two (or more) network
> interfaces is that host authorization (commonly used with
> some client tools leveraging GSI) fails when a reverse lookup
> on the IP address for the box hosting the service/daemon
> doesn't match the DN for the host cert because the DN is bound
> to one network interface while the client tool is talking to
> the other interface.
> 
> Is this an issue at all when using GSI authentication in
> Condor? I am guessing it is not because there is not GSI
> "host" authorization happening and all authorization is at the
> level of the Condor user IDs, but I want to be sure...

you are correct.  the FQDN is currently not extracted and matched with the IP.
this is something i will probably add, with a config option to disable it for
the reason you mentioned above.


cheers,
-zach