Mailing List Archives

Authenticated access

 		[Computer Systems Lab]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] wrong authentication method

When a daemon is rejected when it attempts to advertise itself to the collector, it will attempt to request an IDToken from the collector. If the request is approved, then the collector will create the IDToken and send it securely to the requesting daemon. That daemon will write the token to disk and then use to advertise to the collector. Normally, requests must be explicitly approved by an administrator with the command condor_token_request_approve. There is also an auto-approve mode, which can be enabled during cluster setup on a trusted (usually private) network.

This is intended to be an easy way to setup strong authentication within a new cluster of machines without having to explicitly copy signing keys or tokens between hosts.

The daemon making a token request indicates that SSL authentication failed when the daemon contacted the collector. There should be some entries in the daemon log reporting that. You can add the D_SECURITY debug level for both the daemon and collector to get additional information for why SSL failed.

 - Jaime

On Sep 18, 2024, at 9:09âAM, john.henry.lee--- via HTCondor-users <htcondor-users@xxxxxxxxxxx> wrote:

I have this is on our startd machine which is running on Azure.

SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = SSL
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = SSL

ALLOW_DAEMON = ssl@unmapped
SSL_DIR = /opt/secure/keys
AUTH_SSL_CLIENT_CAFILE = $(SSL_DIR)/certs/ca.pem
AUTH_SSL_CLIENT_CERTFILE = $(SSL_DIR)/certs/$(FULL_HOSTNAME).pem
AUTH_SSL_CLIENT_KEYFILE = $(SSL_DIR)/private_keys/$(FULL_HOSTNAME).pem
AUTH_SSL_SERVER_CAFILE = $(SSL_DIR)/certs/ca.pem
AUTH_SSL_SERVER_CERTFILE = $(SSL_DIR)/certs/$(FULL_HOSTNAME).pem
AUTH_SSL_SERVER_KEYFILE = $(SSL_DIR)/private_keys/$(FULL_HOSTNAME).pem
SEC_CLIENT_AUTHENTICATION_METHODS = FS, SSL

The deamon starts up. However, in my Masterlog, its asking for IDTOKENs? 

I see,

Authorization Server 'condor@domain/addr'
Token request not approved; will retry in 5 seconds?

Why is it doing that?