Re: [HTCondor-users] host based authentication for condor_submit -remote

[Zach Miller <zmiller@xxxxxxxxxxx>]

Thanks for the contribution, Kevin.  (This is something I'd recently been thinking about adding.)  I'll take a look soon and be in touch.


Cheers,
-zach


> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of Brian Bockelman
> Sent: Friday, July 29, 2016 9:10 AM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: Re: [HTCondor-users] host based authentication for condor_submit -
> remote
> 
> Hi Kevin,
> 
> I think this is an excellent idea.
> 
> The submitted code looks broadly correct (setting aside some minor cmake
> issues).  I made a few notes in the PR.  I'll let Zach chime in, who
> normally does code review for security tickets.
> 
> Brian
> 
> > On Jul 29, 2016, at 8:53 AM, Fox, Kevin M <Kevin.Fox@xxxxxxxx> wrote:
> >
> > Ok. I'll work on debugging the FS-REMOTE issue.
> >
> > I also took a stab at writing a MUNGE auth plugin:
> > https://github.com/htcondor/htcondor/pull/12
> >
> > Its basically the same code as FS-REMOTE with the fs code switched out
> with a couple of MUNGE calls.
> >
> > Can someone familiar with auth plugins please take a look?
> >
> > Thanks,
> > Kevin
> > ________________________________________
> > From: HTCondor-users [htcondor-users-bounces@xxxxxxxxxxx] on behalf of
> Brian Bockelman [bbockelm@xxxxxxxxxxx]
> > Sent: Wednesday, July 27, 2016 12:19 PM
> > To: HTCondor-Users Mail List
> > Subject: Re: [HTCondor-users] host based authentication for condor_submit
> -remote
> >
> >> On Jul 27, 2016, at 2:14 PM, Fox, Kevin M <Kevin.Fox@xxxxxxxx> wrote:
> >>
> >> Bummer. Ok.
> >>
> >> I ran into some issues trying FS-REMOTE with LDAP. wasn't working
> correctly. Couldn't resolve the uid for some reason. but worked fine with a
> getent passwd username
> >>
> >
> > That's worth debugging.  It's certainly expected to work.
> >
> > Try setting the debug on the client side and schedd side to
> D_FULLDEBUG|D_SECURITY, then sending it here or the support email address
> (the support email address keeps the debug logs private, but then I won't
> be able to help...).
> >
> >> Is there any way with host based to limit it to just a few specific
> users at least, rather then giving access to all users?
> >>
> >> I did try and make a quick ssl ca for users to test some things, but I
> haven't figured out how to do revocations. Any ideas there?
> >>
> >> I'm trying to keep things relatively simple to support remote job
> submission, and full blown gsi seems like overkill, but may be the only way
> to actually secure the channel?
> >
> > I think GSI is common in the communities that already do GSI heavily (for
> example, in the HEP or LHC communities).
> >
> > In general, I suspect KRB5 for authentication is more widespread.
> >
> > Brian
> >
> >
> > _______________________________________________
> > HTCondor-users mailing list
> > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with
> a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/htcondor-users/
> >
> > _______________________________________________
> > HTCondor-users mailing list
> > To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with
> a
> > subject: Unsubscribe
> > You can also unsubscribe by visiting
> > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> >
> > The archives can be found at:
> > https://lists.cs.wisc.edu/archive/htcondor-users/
> 
> 
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> 
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/