[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor's Attack on Kerberos


----- UrsprÃngliche Mail -----
> Von: "Christoph Beyer" <christoph.beyer@xxxxxxx>
> An: "htcondor-users" <htcondor-users@xxxxxxxxxxx>
> Gesendet: Dienstag, 28. November 2017 09:55:29
> Betreff: Re: [HTCondor-users] HTCondor's Attack on Kerberos

> Hi,
> that is most likely the credential_shpeherd I will send you a private e-mail
> concerning that.
> SEC_CREDENTIAL_REFRESH_INTERVAL is the knob to configure the refresh intervall
> of the tokens, see:

I don't think so because of these reasons:

   * My KDC logs show lots of authentication requests (AS_REQ) from host/[nodename]...
     for host/[negotiator/collector-node] . It's actually the first time I've seen
     AS_REQs like that. They are usually for krbtgt/... but the TGT is skipped here.
   * KDC-logs correlated with StartLog show that each benchmark run by STARTD
     causes a AS_REQ on a KDC.
   * The credential_shepherd is a self-written script which would show all kerberos
     related actions in a separate log file.
   * My credential_shepherd renewes tickets which would cause ticket-requests but
     not authentication requests.