Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Migration from 8.8.8 to 9.0.9, single user, non root, multi machine setup, help

Hi Tood,

Many thanks for the help! That was exactly it!

Wrote a quick guide for personal reference but, as it may help others, put it online.

https://wasteofserver.com/htcondor-install-and-configure-as-non-root/

Once again, many thanks,
Francisco


----


On Fri, Feb 25, 2022 at 8:54 PM Todd Tannenbaum <tannenba@xxxxxxxxxxx> wrote:
On 2/24/2022 7:44 PM, frankie.lc@xxxxxxxxx wrote:
To anyone getting here via Google,

I am still not entirelyÂsure why SSL is failing, but I was able to overcome this by disabling the host check.

SSL_SKIP_HOST_CHECK = false

Hope this helps,
Francisco

Hi Francisco,

Glad you got it working!

I think the trouble you ran into is normally an SSL host certificate will normally have the Common Name (CN) field set to be the fully qualified name for the system that uses the certificate (e.g. foo.myorg.com). In the certificate below, it looks like CN is set to be "Example Condor", which is why you needed to tell HTCondor to "skip the host check" -- in the host check process, the client says "I want to connect to machine xxx.yyy.com", and then the client will confirm that the CN in the SSL certificate on the server also contains "xxx.yyy.com". If the name of the machine the client connected to does not match the CN in the certificate, SSL authentication will fail unless you set "SSL_SKIP_HOST_CHECK".Â

Personally, I find SSL configuration to be very exasperating (whether it be for HTCondor, or a web server, or anything at all actually!), and for my own small HTCondor pools I would gravitate towards either POOL or IDTOKENS authentication.


Hope the above helps
Todd

----


On Thu, Feb 24, 2022 at 2:13 AM Francisco Leite de Castro <frankie.lc@xxxxxxxxx> wrote:
Hi,

I run a small cluster of 4 machines as a non-root user
Upgrading to 9.0.9 I've been tryingÂto get "condor_status" toÂwork for a couple of days now, I haven't even tried multi-machines, but it's been to noÂavail, maybe someone here can help.

Relevant portion of condor_config

AUTH_SSL_SERVER_CAFILE = Â /home/frankie/certs/ca_cert.crt
AUTH_SSL_SERVER_CERTFILE = /home/frankie/certs/condor.crt
AUTH_SSL_SERVER_KEYFILE = Â/home/frankie/certs/condor.key

AUTH_SSL_CLIENT_CAFILE = Â /home/frankie/certs/ca_cert.crt
AUTH_SSL_CLIENT_CERTFILE = /home/frankie/certs/condor.crt
AUTH_SSL_CLIENT_KEYFILE = Â/home/frankie/certs/condor.key

SEC_DEFAULT_AUTHENTICATION = REQUIRED
SEC_DEFAULT_AUTHENTICATION_METHODS = SSL

SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = SSL
SEC_DAEMON_INTEGRITY = REQUIRE
SEC_DAEMON_ENCRYPTION = REQUIRED

ALLOW_READ Â Â Â Â Â= frankie@*
ALLOW_WRITE Â Â Â Â = frankie@*
ALLOW_ADMINISTRATOR = frankie@*
ALLOW_CONDIG Â Â Â Â= frankie@*
ALLOW_NEGOTIATOR Â Â= frankie@*
ALLOW_DAEMON Â Â Â Â= frankie@*

CERTIFICATE_MAPFILE = /home/frankie/certs/condor_mapfile

I have just this one entry on the mapfile:

SSL "/C=UK/L=London/CN=CAST Condor/emailAddress=frankie@xxxxxxxxxxx" frankie

If I do a "condor_q -debug" everything goes ok.

02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) SSL authentication succeeded to /C=UK/L=London/CN=Example Condor/emailAddress=frankie@xxxxxxxxxxx
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) Authentication was a Success.
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) AUTHENTICATION: setting default map to ssl@unmapped
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) AUTHENTICATION: Parsing map file.
02/24/22 01:52:48 (fd:4) (pid:37179) (D_SECURITY) AUTHENTICATION: post-map: current FQU is 'frankie@xxxxxxxxxxxxxxxxx'
(...)
Total for query: 0 jobs; 0 completed, 0 removed, 0 idle, 0 running, 0 held, 0 suspended

If I do a "condor_status -debug" it fails with this:

02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) Client trying post connection check.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL Auth: post_connection_check.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL_get_peer_certificate returned data.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) No SSL host name specified.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL Auth: Error on check of peer certificate
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL Auth: application verification failure
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) Client performs one last exchange of messages.
02/24/22 01:54:17 (fd:4) (pid:37183) (D_SECURITY) SSL Auth: SSL Authentication failed
(...)
Error: communication error
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SSL

I followed these directivesÂto create the .crt files. The condor.crt file has this info:

Certificate:
  Data:
    Version: 3 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = UK, L = London, CN = Example Condor
    Validity
      Not Before: Feb 23 23:41:18 2022 GMT
      Not After : Feb 21 23:41:18 2032 GMT
    Subject: C = UK, L = London, CN = Example Condor, emailAddress = frankie@xxxxxxxxxxx
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        RSA Public-Key: (2048 bit)
      (...)
      X509v3 Subject Alternative Name:
        DNS:localhost, DNS:box-1, DNS:box-1.example.com, IP Address:192.168.5.121
  Signature Algorithm: sha256WithRSAEncryption

I've tried, but can't figure if it's something I'm messing on the SSL side or on condor side.
Following the message "No SSL host name specified." we can trace the function here:

if (fqdn.empty()) {
  dprintf(D_SECURITY, "No SSL host name specified.\n");
  goto err_occured;
}

But it still leaves me empty-handed.

Can anyone spot what I'm doing wrong?

Many thanks,
Frankie




----

_______________________________________________
HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting
https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users

The archives can be found at:
https://lists.cs.wisc.edu/archive/htcondor-users/


-- 
Todd Tannenbaum <tannenba@xxxxxxxxxxx>  University of Wisconsin-Madison
Center for High Throughput Computing    Department of Computer Sciences
Calendar: https://tinyurl.com/yd55mtgd  1210 W. Dayton St. Rm #4257
Phone: (608) 263-7132                   Madison, WI 53706-1685