Re: [HTCondor-users] condor 8.x and authentication woes

[Keith Brown <keith6014@xxxxxxxxx>]

Hi.

I went with SSL because its a standard protocol used in HTTPs. Didn't
think it was this hard.

Here is my setup, BTW
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = SSL


AUTH_SSL_CLIENT_CAFILE = /var/lib/condor/cndrsrvc.crt
AUTH_SSL_CLIENT_CERTFILE = /var/lib/condor/cndrsrvc.crt
AUTH_SSL_CLIENT_KEYFILE = /var/lib/condor/cndrsrvc.key
AUTH_SSL_SERVER_CAFILE = /var/lib/condor/cndrsrvc.crt
AUTH_SSL_SERVER_CERTFILE = /var/lib/condor/cndrsrvc.crt
AUTH_SSL_SERVER_KEYFILE = /var/lib/condor/cndrsrvc.key
CERTIFICATE_MAPFILE = /var/lib/condor/map

The map file is simple
SSL "/C=US/ST=MI/L=Madison/O=University of Wisconsin
--Madison/O=Computer Sciences Department/OU=HTCondor
Project/CN=Serviceâ condor

I am hoping the map file is the issue. I am open to troubleshooting this.

But, for now I like the password option.


On Mon, Jul 1, 2019 at 10:09 PM Bockelman, Brian
<BBockelman@xxxxxxxxxxxxx> wrote:
>
> Hi Keith,
>
> Sorry to hear that you have issues!
>
> If you're going for a "simple, secure" setup, I would recommend using PASSWORD auth (slides 11-17 of the presentation you linked https://indico.cern.ch/event/272794/contributions/614951/attachments/490442/677973/MillerZ-Securing.pdf).
>
> There are some limitations for PASSWORD noted in the slides (namely: flocking multiple pools together and remote submission); it doesn't sound like you will hit those limitations currently.  In 8.9.2, we have started to lift those limitations (life will get easier in 8.9.3 and yet again in 8.9.4).
>
> SSL is relatively complex because, well, setting up a public key infrastructure is relatively complex.  8.9.3 will provide a few sane defaults (less knobs to turn), but there's a limit to how simple it can go.
>
> Any reason why you gravitate toward SSL instead of PASSWORD?
>
> Thanks,
>
> Brian
>
> On Jul 1, 2019, at 8:46 PM, Keith Brown <keith6014@xxxxxxxxx> wrote:
>
> I have been a long time condor 6 & 7 user and decided to give v8 a try
> in our lab. Installation was done thru a RPM, RHEL 7.6.
>
> I have 2 nodes: r1 (COLLECTOR, MASTER, NEGOTIATOR, SCHEDD, STARTD). r2
> (MASTER, STARTD).  I am able to start everything up but on r2 I keep
> seeing
>
> 07/01/19 21:35:14 SECMAN: FAILED: Received "DENIED" from server for
> user unauthenticated@unmapped using method (no authentication).
> 07/01/19 21:35:14 ERROR: SECMAN:2010:Received "DENIED" from server for
> user unauthenticated@unmapped using method (no authentication).
>
> I am tempted to go "CLAIMTOBE" route. Instead, I looked into SSL
> because that seems to be recommended but getting it to work is very
> hard.
>
>
> I have followed,
> http://research.cs.wisc.edu/htcondor/CondorWeek2011/presentations/zmiller-ssl-tutorial.pdf
> and https://indico.cern.ch/event/272794/contributions/614951/attachments/490442/677973/MillerZ-Securing.pdf
> https://www-auth.cs.wisc.edu/lists/htcondor-users/2010-January/msg00228.shtml
>
> Is there an simplier version of the SSL setup? Has anyone gotten a
> simple SSL setup to work?
>
> The documention,https://htcondor.readthedocs.io/en/v8_8_3/admin-manual/security.html,
> should include a quick start for SSL. Otherwise, I think everything
> will go with claimedtobe and make instances insecure.
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/