Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Condor-users] Understanding authentication in Condor

Date: Wed, 15 Aug 2012 03:48:39 +0000
From: "Jewell, Chris" <C.P.Jewell@xxxxxxxxxxxx>
Subject: [Condor-users] Understanding authentication in Condor

Hi all,

I'm having a tough time trying to understand security in Condor.  I'm trying to understand how the Condor password authentication works in a testbed system of a Linux submit/negotiate/collect/execute host and a Windows execute host.

The Windows box has simply an administration user on it currently, whilst the Linux box has the users that will be utilising the cluster.  I added the pool password to the Windows box, as described in section 3.6.3.4 of the manual.  Similarly, I created a secrets file on the Linux box.  

Currently, both my condor_config.local files (based on the example in the manual) look like:

SEC_PASSWORD_FILE = /etc/condor/secrets
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = PASSWORD
SEC_CLIENT_AUTHENTICATION_METHODS = FS, PASSWORD

ALLOW_DAEMON = condor_pool@$(UID_DOMAIN)/192.168.1.*,condor@$(UID_DOMAIN)/$(IP_ADDRESS), condor_pool@$(UID_DOMAIN)/127.0.0.1, condor@$(UID_DOMAIN)/127.0.0.1
ALLOW_NEGOTIATOR = condor_pool@$(UID_DOMAIN)/192.168.1.25, 127.0.0.1
ALLOW_CONFIG = root@$(UID_DOMAIN)/$(IP_ADDRESS)
ALLOW_WRITE = $(ALLOW_WRITE),192.168.1.*
ALLOW_READ = $(ALLOW_READ), 192.168.1.*


Obviously, this prevents any daemons that do not have the shared password from joining the pool, and works okay (albeit with quite slow job throughput).

The problem (is it a problem?) is that I'm still allowing write/read access to anybody on the subnet.  If I change my ALLOW_WRITE/READ lines to *@$(UID_DOMAIN)/192.168.1.*, then the file transfers bomb out as per Ticket #1759.  Following #1759's suggested workaround, I try to implement SEC_WRITE_AUTHENTICATION = required, SEC_WRITE_AUTHENTICATION_METHODS = fs, password.  However, I get messages in ShadowLog such as:

08/15/12 15:44:36 (30.0) (8720): AUTHENTICATE: handshake failed!
08/15/12 15:44:36 (30.0) (8720): DC_AUTHENTICATE: required authentication of 192.168.1.15 failed: AUTHENTICATE:1002:Failure performing handshake|AUTHENTICATE:1004:Failed to authenticate using FS

Can anyone help, or point me in the direction of a more comprehensive tutorial?

Thanks,

Chris








--
Dr Chris Jewell
Massey University
Private Bag 11222
Palmerston North 4442
New Zealand
Tel: +64 (0) 6 350 5701 Extn: 3586

References:
- [Condor-users] Condor Security Releases: 7.8.2 and 7.6.8
  - From: Zachary Miller

Prev by Date: [Condor-users] Condor Security Releases: 7.8.2 and 7.6.8
Next by Date: [Condor-users] condor_view + parallel jobs
Previous by thread: [Condor-users] Condor Security Releases: 7.8.2 and 7.6.8
Next by thread: Re: [Condor-users] Condor Security Releases: 7.8.2 and 7.6.8
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

[Condor-users] Understanding authentication in Condor