[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] HTCondor's Attack on Kerberos
- Date: Tue, 28 Nov 2017 12:30:51 +0100 (CET)
- From: FB <fbo2@xxxxxxx>
- Subject: Re: [HTCondor-users] HTCondor's Attack on Kerberos
----- UrsprÃngliche Mail -----
> Von: "Christoph Beyer" <christoph.beyer@xxxxxxx>
> An: "htcondor-users" <htcondor-users@xxxxxxxxxxx>
> Gesendet: Dienstag, 28. November 2017 09:55:29
> Betreff: Re: [HTCondor-users] HTCondor's Attack on Kerberos
> that is most likely the credential_shpeherd I will send you a private e-mail
> concerning that.
> SEC_CREDENTIAL_REFRESH_INTERVAL is the knob to configure the refresh intervall
> of the tokens, see:
I don't think so because of these reasons:
* My KDC logs show lots of authentication requests (AS_REQ) from host/[nodename]...
for host/[negotiator/collector-node] . It's actually the first time I've seen
AS_REQs like that. They are usually for krbtgt/... but the TGT is skipped here.
* KDC-logs correlated with StartLog show that each benchmark run by STARTD
causes a AS_REQ on a KDC.
* The credential_shepherd is a self-written script which would show all kerberos
related actions in a separate log file.
* My credential_shepherd renewes tickets which would cause ticket-requests but
not authentication requests.