Differences
This shows you the differences between two versions of the page.
| |
| condor:administration:password [2011/08/08 21:01] – created garrettheath4 | condor:administration:password [2011/08/08 21:02] (current) – deleted garrettheath4 |
|---|
| ======Password Authentication====== | |
| |
| Authentication in Condor is flexible and robust, but it must be properly configured. Authentication allows a //server// process (not necessarily a process on the central manager) to confirm the identity and therefore validity of a //client// processes. Fancy forms of authentication are supported by Condor, such as certificate-based SSL authentication and Kerberos, but the basic forms of authentication are local and remote filesystem methods and password-based authentication. | |
| |
| **Local filesystem authentication** is perhaps the strongest form of username-based authentication when administrative access to a computer is properly limited. It is performed when both the //server// and //client// processes are running on the same physical machine. This form of authentication will only be performed if the client's ''SEC_CLIENT_AUTHENTICATION_METHODS'' configuration variable and the server's ''SEC_DEFAULT_AUTHENTICATION_METHODS'' both list "''FS''" and they mutually agree to perform this form of authentication. If so, the client will write a file to the ''/tmp/'' folder. Assuming the client does not have ''root'' access((In Unix, the ''root'' administrative account is able to change the ownership and permissions of any file in the system. Thus, this form of authentication can be spoofed if a malicious client process has ''root'' access (God forbid!) since it would simply need to create the file and change its ownership to be whatever the server process expects.)), the file's ownership will be that of the effective user and group IDs. The server process then checks the user and group ownership against the user accounts of the local computer and/or user domain. If the ownership is what the server process expected, the server considers the client authenticated and uses the client's credentials to decide if the client has the proper permissions to have its request fulfilled by the server. The form of the credentials are in the form ''<username>@<hostname>/<domain>''. Thus, if a client process's "''<username>@<hostname>/<domain>''" is listed in the appropriate ''ALLOW_*'' configuration variable, the client's request is fulfilled by the server. | |
| |
| **Remote filesystem authentication** FIXME | |
| |
| **Password-based authentication** FIXME | |
| |
| Password authentication in Condor has its downsides. | |
