Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] dirty AFS hook stuff?

Date: Mon, 11 Nov 2013 12:05:01 -0500
From: Rich Pieri <ratinox@xxxxxxx>
Subject: Re: [HTCondor-users] dirty AFS hook stuff?

Brian Bockelman wrote:
> This means that an implementation is mostly a matter of finding
> someone who understands AFS and HTCondor well enough to copy/paste
> the relevant code.

Doing it right is not that simple at all. It's not a matter of copying
code. It's a matter of forwarding Kerberos tickets to every node in a
Condor pool, nodes that may not be secure.

I'm running a desktop pool. Most of the nodes in my pool are on or under
users' desks. These nodes have little or no physical access controls. It
would be trivial for a malicious user to install a compromised version
of the Condor daemons that send copies of forwarded Kerberos tickets to
that malicious user. At this point said malicious user can masquerade as
anyone who's jobs run on those compromised nodes.

-- 
Rich Pieri <ratinox@xxxxxxx>
MIT Laboratory for Nuclear Science

Follow-Ups:
- Re: [HTCondor-users] dirty AFS hook stuff?
  - From: Brian Bockelman
- Re: [HTCondor-users] dirty AFS hook stuff?
  - From: Zachary Miller

References:
- [HTCondor-users] dirty AFS hook stuff?
  - From: Pek Daniel
- Re: [HTCondor-users] dirty AFS hook stuff?
  - From: Rich Pieri
- Re: [HTCondor-users] dirty AFS hook stuff?
  - From: Pek Daniel
- Re: [HTCondor-users] dirty AFS hook stuff?
  - From: Brian Bockelman

Prev by Date: Re: [HTCondor-users] dirty AFS hook stuff?
Next by Date: Re: [HTCondor-users] dirty AFS hook stuff?
Previous by thread: Re: [HTCondor-users] dirty AFS hook stuff?
Next by thread: Re: [HTCondor-users] dirty AFS hook stuff?
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] dirty AFS hook stuff?