Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [condor-users] Some questions concerning security in Condor
- Date: Tue, 24 Feb 2004 14:05:01 -0600
- From: Zachary Miller <zmiller@xxxxxxxxxxx>
- Subject: Re: [condor-users] Some questions concerning security in Condor
> In order to win over our computing services guys and get them to
> consider putting Condor on campus-wide facilities, I'd be grateful if
> anyone can answer some of the questions that have been raised, and
> detailed below. I'd like say that by fielding these questions we are in
> no way implying any sort of slur on any aspects of Condor, but I have
> been warned that some people/organizations can feel slighted at having
> the security of their products questioned. We mean no such offence.
none taken!
> 1) Does Condor support TCP_wrappers?
no... tcp_wrappers says:
Requirements are that network daemons are spawned by a super server
such as the inetd;
currently, the condor daemons persist and handle their own incoming
connections rather than being launched by a "super server".
however, condor has it's own ability to log incoming connections, and even
allow/deny based on IP address, which is the typical use of tcp_wrappers. if
this is all you need, maybe condor's existing mechanisms will suffice. if you
were planning on using the more advanced features of tcp_wrappers you are
unfortunately out of luck.
> 2) Has anyone done a security assesment/audit of Condor? If so, can we
> see the results?
the only thing i have is some older work done by another group here at the
UW, the paradyn project. http://www.cs.wisc.edu/paradyn/
under the "Technical Papers" section, there is a paper titled "Playing Inside
the Black Box: Using Dynamic Instrumentation to Create Security Holes" which
talks about a complicated exploit to older (i think pre 6.2.X) versions of
condor. here's a link to postscript and pdf versions:
ftp://ftp.cs.wisc.edu/paradyn/technical_papers/dyn-security.ps
ftp://ftp.cs.wisc.edu/paradyn/technical_papers/dyn-security.pdf
> 3) Section 3.7.4.1, "GSI Authentication" in the Condor v6.6 manual
> implies that the distinguished name of certificates for the Condor
> daemons should be of the form:
>
> /C=?/O=?/O=?/OU=?/CN=<daemon_name@domain>
>
> which is not of the same form as the distinguised name of certificates
> issued by the UK e-Science CA. So, is it the case that the distinguised
> name of certificates for the Condor daemons has to be of the form given
> above, or is this just an example?
it was just an example. condor can handle and use distiguished names in other
formats too.
> For comparison, the UK e-Science CA
> issues user certificates with distinguished names of the form:
>
> /C=UK/O=eScience/OU=?/L=?/CN=<name of user>
>
> host/server certificates with distinguished names of the form:
>
> /C=UK/O=eScience/OU=?/L=?/CN=<hostname>/Email=<some_name@domain>
no problem. but i am curious about the Email... whose email is that, the
sysadmin responsible for the host?
please feel free to ask more questions!
cheers,
-zach
Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>