HTCondor Project List Archives



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Condor-devel] Has Condor considered NSS?




A restricted certificate is created, but not transferred.
Normally with Globus, it works like this:
1) User runs grid-proxy-init. A new certificate/key is created, and signed by your regular key. It usually expires more quickly (12 hours is the default), though users can control this. It is not protected by a password (so you don't have to type your password for every job submission and data transfer), but only by local Unix file permissions. Generally it's stored in /tmp (which shouldn't be a shared file system) with 600 permissions.
2) When you run your job, a new proxy certificate is delegated:
   - At the remote site, a new private key is created
   - At the remote site, a certificate request is created
   - The certificate request is sent back to the submitting side
   - A public certificate is created and signed by the proxy
     certificate.
   - This public certificate (no secrets!) is sent to the remote side
   - Again, this certificate/key has no password but is protected by
     Unix permissions.
So there are no secrets transferred.
If someone can access your proxy certificate files (root, an attacker) they can act as you until the proxy certificate expires. This is why the time is limited.

Well, the secrets are delegated. If someone can access the new private key on the remote site you're also hosed.

Right: the delegated certificate has the same security risks as the proxy certificate: it can be accessed by anyone that can bypass Unix file system permissions. It is time-limited, so the attack timeframe is similar to the proxy certificate.

I'm not a security expert, so I won't try to convince you of the safety of this system. But imagine that someone gets access to your files on the remote system. You're screwed in plenty of ways if that happens. For example, I could modify your .ssh/authorized_keys if I had access to your files.

So you're right, but I'm not sure that this is a critique of delegating credentials.

-alain