Mailing List Archives Public Access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] host based authentication for condor_submit -remote

Date: Wed, 27 Jul 2016 15:53:01 +0000
From: "Fox, Kevin M" <Kevin.Fox@xxxxxxxx>
Subject: Re: [HTCondor-users] host based authentication for condor_submit -remote

I've been trying to figure out how to do this too.

Does the host based auth do any kind of validation that one user isn't claiming to be another user on that host?

NFS does that by at ensuring the tcp port used is a root only one.

SLURM uses MUNGE to do something similar. Non root users on the machine can ask a root owned process on the machine to vouch for them.

Can you do something like run a stub schedd on your local machine that has no actual queue, but submits the job on to the remote schedd with its own creds vouching for the user validated via FS?

Thanks,
Kevin

________________________________________
From: HTCondor-users [htcondor-users-bounces@xxxxxxxxxxx] on behalf of Todd L Miller [tlmiller@xxxxxxxxxxx]
Sent: Wednesday, July 27, 2016 8:28 AM
To: HTCondor-Users Mail List
Subject: Re: [HTCondor-users] host based authentication for condor_submit -remote

> If you just want host-based authentication, you probably want to enable
> the CLAIMTOBE mode: that allows the client to simply assert an identity,
> and the server will believe it.

        You don't normally have to do this, and probably don't want to;
CLAIMTOBE is mostly intended for debugging.  What you probably want to do
instead is reconfigure HTCondor to not require authentication at all --
host-based authorization at least checks DNS entries against the peer
address of incoming connections, but CLAIMTOBE does nothing at all.

        The default for SEC_DEFAULT_AUTHENTICATION is OPTIONAL, so you
don't normally have to do anything to use host-based authorization.  If
you've changed that in your configuration, you may have to change it back.
(HTCondor can use both host-based authorization and GSI/kerberos/etc
authentication simultaneously, but it's trickier to configure.)

- ToddM
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

Follow-Ups:
- Re: [HTCondor-users] host based authentication for condor_submit -remote
  - From: Todd L Miller
- Re: [HTCondor-users] host based authentication for condor_submit -remote
  - From: Brian Bockelman

References:
- [HTCondor-users] host based authentication for condor_submit -remote
  - From: Alexei Dvoretskii
- Re: [HTCondor-users] host based authentication for condor_submit -remote
  - From: Brian Bockelman
- Re: [HTCondor-users] host based authentication for condor_submit -remote
  - From: Todd L Miller

Prev by Date: Re: [HTCondor-users] TR: sl6.8 libcgroup -- bug
Next by Date: Re: [HTCondor-users] host based authentication for condor_submit -remote
Previous by thread: Re: [HTCondor-users] host based authentication for condor_submit -remote
Next by thread: Re: [HTCondor-users] host based authentication for condor_submit -remote
Index(es):
- Date
- Thread

Mailing List Archives

Public Access

Re: [HTCondor-users] host based authentication for condor_submit -remote