Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] host based authentication for condor_submit -remote
- Date: Fri, 29 Jul 2016 09:10:22 -0500
- From: Brian Bockelman <bbockelm@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] host based authentication for condor_submit -remote
Hi Kevin,
I think this is an excellent idea.
The submitted code looks broadly correct (setting aside some minor cmake issues). I made a few notes in the PR. I’ll let Zach chime in, who normally does code review for security tickets.
Brian
> On Jul 29, 2016, at 8:53 AM, Fox, Kevin M <Kevin.Fox@xxxxxxxx> wrote:
>
> Ok. I'll work on debugging the FS-REMOTE issue.
>
> I also took a stab at writing a MUNGE auth plugin:
> https://github.com/htcondor/htcondor/pull/12
>
> Its basically the same code as FS-REMOTE with the fs code switched out with a couple of MUNGE calls.
>
> Can someone familiar with auth plugins please take a look?
>
> Thanks,
> Kevin
> ________________________________________
> From: HTCondor-users [htcondor-users-bounces@xxxxxxxxxxx] on behalf of Brian Bockelman [bbockelm@xxxxxxxxxxx]
> Sent: Wednesday, July 27, 2016 12:19 PM
> To: HTCondor-Users Mail List
> Subject: Re: [HTCondor-users] host based authentication for condor_submit -remote
>
>> On Jul 27, 2016, at 2:14 PM, Fox, Kevin M <Kevin.Fox@xxxxxxxx> wrote:
>>
>> Bummer. Ok.
>>
>> I ran into some issues trying FS-REMOTE with LDAP. wasn't working correctly. Couldn't resolve the uid for some reason. but worked fine with a getent passwd username
>>
>
> That’s worth debugging. It’s certainly expected to work.
>
> Try setting the debug on the client side and schedd side to D_FULLDEBUG|D_SECURITY, then sending it here or the support email address (the support email address keeps the debug logs private, but then I won’t be able to help...).
>
>> Is there any way with host based to limit it to just a few specific users at least, rather then giving access to all users?
>>
>> I did try and make a quick ssl ca for users to test some things, but I haven't figured out how to do revocations. Any ideas there?
>>
>> I'm trying to keep things relatively simple to support remote job submission, and full blown gsi seems like overkill, but may be the only way to actually secure the channel?
>
> I think GSI is common in the communities that already do GSI heavily (for example, in the HEP or LHC communities).
>
> In general, I suspect KRB5 for authentication is more widespread.
>
> Brian
>
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
>
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/