Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] HTCondor's Attack on Kerberos

Date: Tue, 28 Nov 2017 09:55:29 +0100 (CET)
From: "Beyer, Christoph" <christoph.beyer@xxxxxxx>
Subject: Re: [HTCondor-users] HTCondor's Attack on Kerberos

Hi,

that is most likely the credential_shpeherd I will send you a private e-mail concerning that. 

SEC_CREDENTIAL_REFRESH_INTERVAL is the knob to configure the refresh intervall of the tokens, see: 

https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=6318

Best
Chris


-- 
Christoph Beyer
DESY Hamburg
IT-Department

Notkestr. 85
Building 02b, Room 009
22607 Hamburg

phone:+49-(0)40-8998-2317
mail: christoph.beyer@xxxxxxx

----- UrsprÃngliche Mail -----
Von: "Fbo2" <fbo2@xxxxxxx>
An: "htcondor-users" <htcondor-users@xxxxxxxxxxx>
Gesendet: Dienstag, 28. November 2017 09:39:20
Betreff: [HTCondor-users] HTCondor's Attack on Kerberos

Hi everyone,

since we use Kerberos for all authentication tasks,
I was happy to see that HTCondor is able to use it
as well. So I added this to my config:

SEC_WRITE_AUTHENTICATION                 = REQUIRED
SEC_WRITE_AUTHENTICATION_METHODS         = KERBEROS
SEC_ADMINISTRATOR_AUTHENTICATION         = REQUIRED
SEC_ADMINISTRATOR_AUTHENTICATION_METHODS = KERBEROS
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = KERBEROS
SEC_COLLECTOR_AUTHENTICATION_METHODS = KERBEROS
SEC_STARTD_AUTHENTICATION_METHODS = KERBEROS
SEC_ADVERTISE_MASTER_AUTHENTICATION_METHODS = KERBEROS
SEC_ADVERTISE_STARTD_AUTHENTICATION_METHODS = KERBEROS
SEC_ADVERTISE_SCHEDD_AUTHENTICATION_METHODS = KERBEROS
SEC_DEFAULT_AUTHENTICATION_METHODS = KERBEROS
SEC_CLIENT_AUTHENTICATION_METHODS = KERBEROS

... which works but:

My Kerberos-KDCs started to become unresponsive. HTCondor
processes seem not to cache their tickets but to get new
ones for each communication process (i.e. STARTD updating
classads). With a lot of nodes in the pool, this becomes
quite the challenge for Kerberos-KDCs.

Did anyone experience the same problem? Is it ill-advised to
use Kerberos for HTCondor server communication? Is there a
chance to force an on-disk ticket cache for HTCondor processes?

Best regards,

Frank
_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/

Follow-Ups:
- Re: [HTCondor-users] HTCondor's Attack on Kerberos
  - From: FB

References:
- [HTCondor-users] HTCondor's Attack on Kerberos
  - From: FB

Prev by Date: [HTCondor-users] HTCondor's Attack on Kerberos
Next by Date: Re: [HTCondor-users] HTCondor's Attack on Kerberos
Previous by thread: [HTCondor-users] HTCondor's Attack on Kerberos
Next by thread: Re: [HTCondor-users] HTCondor's Attack on Kerberos
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

Re: [HTCondor-users] HTCondor's Attack on Kerberos