[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] GSI question

On Aug 1, 2014, at 9:57 AM, Pek Daniel <pekdaniel@xxxxxxxxx> wrote:

> Hi,
>> From the doc http://research.cs.wisc.edu/htcondor/manual/v8.2/3_6Security.html:
> "This example's one-way authentication implies that B is verifying the
> identity of A, using the certificate A provides, and utilizing B's own
> set of trusted CAs (Certification Authorities). Client A provides its
> certificate (or proxy) to daemon B."
> And after:
> "When a daemon acts as the client within authentication, the daemon
> needs a listing of those from which it will accept certificates. This
> is done with GSI_DAEMON_NAME. This name is specified with the
> following format"
> This is controversial for me. GSI provides one-way auth, and the doc
> says (first quote) that the client provides the certificate to the
> server.
> In the second quote, it says that the client needs the list of servers
> who it'll accept certificates from.
> And anyway, isn't this whole GSI_DAEMON_NAME redundant together with
> the mapping+authz rules?

Hi Daniel,

It appears the security manual hasn't caught up with the configuration page.  From the configuration page:

This configuration variable is retired. Instead use ALLOW_CLIENT or DENY_CLIENT as appropriate. When used, this variable defined a comma separated list of the subject name(s) of the certificate(s) used by Condor daemons to which this configuration of Condor will connect. The * character may be used as a wild card character. When GSI_DAEMON_NAME is defined, only certificates matching GSI_DAEMON_NAMEpass the authentication step, and no check is performed to require that the host name of the daemon matches the host name in the daemon's certificate. When GSI_DAEMON_NAME is not defined, the host name of the daemon and certificate must match unless exempted by the use of GSI_SKIP_HOST_CHECK and/or GSI_SKIP_HOST_CHECK_CERT_REGEX.

Basically, newer versions of HTCondor have the client explicitly check the DNS-derived hostname matches the name present on the host certificate.  Older versions did not, requiring you to add host certificate DNs one-by-one to GSI_DAEMON_NAME.  As you can imagine, this did not work well in infrastructures that had more than about 5 servers.