Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] LocalCredd attribute undefined
- Date: Tue, 09 Feb 2016 13:38:23 -0600
- From: Todd Tannenbaum <tannenba@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] LocalCredd attribute undefined
On Mon, Feb 8, 2016 at 5:06 PM, Sean Milligan
<Sean.Milligan@xxxxxxxxxxxxx> wrote:
Did you create a shared pool password with condor_store_cred -c
add?
No, I did not. This is a restricted internal cluster, so the security
features aren't used. Is the pool password specifically required? I
know the example configuration uses a pool password, but I wouldn't
expect that specific mechanism to be a hard requirement.
Hi Ben,
Re the above, I think Sean is on the right track (thanks Sean!).
The use of pool password is not a hard-wired requirement, but what IS
hard-coded into the credd in order for it to hand out a password is the
following:
1. The requesting client must use an authenticated connection
2. The requesting client must have an encrypted connection
3. The requesting client must be authorized for DAEMON level access.
So requirement 1 means you need to authenticate with at least SOME
authentication method that works over the network (i.e. not FS); if you
don't wanna deal with setting up a pool password or SSL certs, you could
use CLAIMTOBE. CLAIMTOBE is not secure, but at least it doesn't require
any effort to setup.
Requirement 2 means you had better setup encryption to be required.
Requirement 3 means you had better add the machines that need to fetch
passwords (i.e. impersonate users) into the ALLOW_DAEMON knob on the CREDD.
So I'd suggest talking the example condor_config.local.credd and editing
it to use something like CLAIMTOBE instead of pool password if you
really trust everything/everyone on your internal cluster and setting up
a pool password is to much work; i.e. consider putting something like
the below on all your machines in your pool (warning, untested!) :
# Set security settings so that full security to the credd is required,
# since the credd will refuse to give out a password over a
# connection that is not authenticated and encrypted.
CREDD.SEC_DEFAULT_AUTHENTICATION =REQUIRED
CREDD.SEC_DEFAULT_ENCRYPTION = REQUIRED
CREDD.SEC_DEFAULT_INTEGRITY = REQUIRED
CREDD.SEC_DEFAULT_NEGOTIATION = REQUIRED
# Allow the client to claim to be anyone, and authorize the
# credd to give out passwords to anyone who asks with an
# ip address starting with 128.105.
# This is a VERY insecure setup!! Don't do this unless
# you trust all machines in the pool, trust all users on
# all the machines, and your pool is isolated on its own
# private network!! You have been warned!!!
SEC_DEFAULT_AUTHENTICATION_METHODS = CLAIMTOBE \
$(SEC_DEFAULT_AUTHENTICATION_METHODS)
CREDD.ALLOW_DAEMON = */128.105.*
regards,
Todd