Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
Hello,
We're trying to remove IPv4 addresses from some worker nodes which are otherwise already set up.
We use Kerberos for authentication and noticed the following in the /var/log/condor/StartLog:
01/16/25 16:09:24 AUTHENTICATE: ERROR: authenticated remote host does not match connection address (32.1.20.88 vs 2001:1458:1234::aa); configure DISABLE_AUTHENTICATION_IP_CHECK=TRUE if this check should be skipped
01/16/25 16:09:24 SECMAN: required authentication with collector <collector-hostname>:10029 failed, so aborting command UPDATE_STARTD_AD.
The above IPv4 (32.1.20.88) is not real but (converted to hex) matches the first 4 bytes of the IPv6 (which belongs to the collector it's connecting to).
Following the message's recommendation to set DISABLE_AUTHENTICATION_IP_CHECK=TRUE doesn't help (relevant code:
(ef83e48) htcondor/src/condor_io/authentication.cpp:397):
01/17/25 15:45:31 KERBEROS: remoteAddrs[] is {0x55beb9915c00, (nil)}
01/17/25 15:45:31 Remote host is 32.1.20.88
01/17/25 15:45:31 AUTHENTICATE: method 64 (KERBEROS) failed.
Could something like the following be sufficient to fix this?
diff --git a/src/condor_io/authentication.cpp b/src/condor_io/authentication.cpp
index 29d140e4fc..6c989b737d 100644
--- a/src/condor_io/authentication.cpp
+++ b/src/condor_io/authentication.cpp
@@ -394,9 +394,10 @@ authenticate:
âââââââââââââââââchar const *sockip = mySock->peer_ip_str();
âââââââââââââââââchar const *authip = m_auth->getRemoteHost() ;
-âââââââââââââââââauth_rc = !sockip || !authip || !strcmp(sockip,authip);
-
-âââââââââââââââââif (!auth_rc && !param_boolean( "DISABLE_AUTHENTICATION_IP_CHECK", false)) {
+âââââââââââââââââif (!param_boolean("DISABLE_AUTHENTICATION_IP_CHECK", false)) {
+âââââââââââââââââââââââauth_rc = !sockip || !authip || !strcmp(sockip,authip);
+âââââââââââââââââ}
+âââââââââââââââââif (!auth_rc) {
âââââââââââââââââââââââerrstack->pushf("AUTHENTICATE", AUTHENTICATE_ERR_METHOD_FAILED,
âââââââââââââââââââââââââââââââââââââââââââââââ"authenticated remote host does not match connection address (%s vs %s)", authip, sockip );
âââââââââââââââââââââââdprintf (D_ALWAYS, "AUTHENTICATE: ERROR: authenticated remote host does not match connection address (%s vs %s); configure DISABLE_AUTHENTICATION_IP_CHECK=TRUE if this check should be skipped\n",authip,sockip);
diff --git a/src/condor_io/condor_auth_kerberos.cpp b/src/condor_io/condor_auth_kerberos.cpp
index 313b81b494..acdbcd869e 100644
--- a/src/condor_io/condor_auth_kerberos.cpp
+++ b/src/condor_io/condor_auth_kerberos.cpp
@@ -1529,9 +1529,15 @@ void Condor_Auth_Kerberos :: setRemoteAddress()
dprintf(D_SECURITY | D_VERBOSE, "KERBEROS: remoteAddrs[] is {%p, %p}\n", remoteAddrs[0], remoteAddrs[1]);
if (remoteAddrs[0]) {
- struct in_addr in;
- memcpy(&(in.s_addr), (remoteAddrs[0])[0].contents, sizeof(in_addr));
- setRemoteHost(inet_ntoa(in));
+ char buf[INET6_ADDRSTRLEN];
+ int family = ((remoteAddrs[0])[0].addrtype == ADDRTYPE_INET6) ? AF_INET6 : AF_INET;
+ if (!inet_ntop(family, (remoteAddrs[0])[0].contents, buf, sizeof(buf))) {
+ dprintf(D_ALWAYS, "KERBEROS: Unable to parse remote address\n");
+ krb5_free_addresses_ptr(krb_context_, localAddrs);
+ krb5_free_addresses_ptr(krb_context_, remoteAddrs);
+ return;
+ }
+ setRemoteHost(buf);
}
krb5_free_addresses_ptr(krb_context_, localAddrs);
krb5_free_addresses_ptr(krb_context_, remoteAddrs);
A very basic test shows it works for this case:
01/17/25 16:17:50 KERBEROS: remoteAddrs[] is {0x559a2f920ed0, (nil)}
01/17/25 16:17:50 Remote host is 2001:1458:1234::aa
01/17/25 16:17:50 AUTHENTICATE: auth_status == 64 (KERBEROS)
01/17/25 16:17:50 Authentication was a Success.
(these logs are with STARTD_DEBUG = D_ANY:2)
Thanks,
Panos
|