Re: [condor-users] Some questions concerning security in Condor

[Zachary Miller <zmiller@xxxxxxxxxxx>]

> In order to win over our computing services guys and get them to 
> consider putting Condor on campus-wide facilities, I'd be grateful if 
> anyone can answer some of the questions that have been raised, and 
> detailed below. I'd like say that by fielding these questions we are in 
> no way implying any sort of slur on any aspects of Condor, but I have 
> been warned that some people/organizations can feel slighted at having 
> the security of their products questioned. We mean no such offence.

none taken!


> 1) Does Condor support TCP_wrappers?

no... tcp_wrappers says:
  Requirements are that network daemons are spawned by a super server
  such as the inetd;

currently, the condor daemons persist and handle their own incoming
connections rather than being launched by a "super server".

however, condor has it's own ability to log incoming connections, and even
allow/deny based on IP address, which is the typical use of tcp_wrappers.  if
this is all you need, maybe condor's existing mechanisms will suffice.  if you
were planning on using the more advanced features of tcp_wrappers you are
unfortunately out of luck.


> 2) Has anyone done a security assesment/audit of Condor? If so, can we 
> see the results?

the only thing i have is some older work done by another group here at the
UW, the paradyn project.  http://www.cs.wisc.edu/paradyn/

under the "Technical Papers" section, there is a paper titled "Playing Inside
the Black Box: Using Dynamic Instrumentation to Create Security Holes" which
talks about a complicated exploit to older (i think pre 6.2.X) versions of
condor.  here's a link to postscript and pdf versions:
  ftp://ftp.cs.wisc.edu/paradyn/technical_papers/dyn-security.ps
  ftp://ftp.cs.wisc.edu/paradyn/technical_papers/dyn-security.pdf



> 3) Section 3.7.4.1, "GSI Authentication" in the Condor v6.6 manual 
> implies that the distinguished name of certificates for the Condor 
> daemons should be of the form:
> 
>    /C=?/O=?/O=?/OU=?/CN=<daemon_name@domain>
> 
> which is not of the same form as the distinguised name of certificates 
> issued by the UK e-Science CA.  So, is it the case that the distinguised 
> name of certificates for the Condor daemons has to be of the form given 
> above, or is this just an example?

it was just an example.  condor can handle and use distiguished names in other
formats too.


> For comparison, the UK e-Science CA 
> issues user certificates with distinguished names of the form:
> 
>    /C=UK/O=eScience/OU=?/L=?/CN=<name of user>
> 
> host/server certificates with distinguished names of the form:
> 
>    /C=UK/O=eScience/OU=?/L=?/CN=<hostname>/Email=<some_name@domain>

no problem.  but i am curious about the Email... whose email is that, the
sysadmin responsible for the host?


please feel free to ask more questions!

 
cheers,
-zach

Condor Support Information:
http://www.cs.wisc.edu/condor/condor-support/
To Unsubscribe, send mail to majordomo@xxxxxxxxxxx with
unsubscribe condor-users <your_email_address>