Beat Rubischon <[email protected]> writes: > Everything is better then the standard "security" used in Grid Engine. > Even port based authentication in NFS and RSH offers more security.
Yes, roughly. Maybe not if "everything" includes false reassurances or security theatre. The assumption of no malicious users is written down, at least... > On 16.05.12 17:09, Prentice Bisbal wrote: >> I dealt with this problem by generating new certificates, but then >> this problem showed up again about 6 months later, so I generated new >> certificates again. > > That's standard in the X.509 world. Your certificates have expiry dates > and you have to renew them before they expire. The standard in the Grid > Engine scripts is 6 months. You may expand this value, but sooner or > later you will run into the same troubles. [The default lifetime in current versions is actually a year, with a month for the CRL time.] By the way, see http://arc.liv.ac.uk/repos/darcs/sge/source/security/sec/csp.html for CSP doc, but it's not necessarily up-to-date. > There are different approaches. Like good old "ident", where the server > (in this case the queuemaster) asks the client for the username which > initiated the connection. There are even better solutions like MUNGE [1] > used by SLURM, based on cryptographic hashes. Finally there was a > solution in the Grid Engine 5.x times where the client binaries were > installed SUID root I wouldn't be very confident making the clients suid after looking at the code. > and connected from a privileged port - the way rsh > works. Sadly this support was dropped in the 6.x line in favor of CSP. > > [1] http://munge.googlecode.com/ I thought there was a ticket for that already, but apparently not. I'm more interested in GSS but I'd happy to install direct MUNGE support if anyone wants to work on it. In the meantime it should be possible to use the hooks for the GSS security method, probably just with scripts using munge/unmunge. > CSP is probably a far too complex solution for the problem. But it's the > only available one at the moment. There is GSS support, again via helper programs which now run. In principle that has the advantage of credential handling for AFS/NFS etc., but tokens are exposed in the spooled job and not renewed anyway. (I may have said previously that credential storage didn't work anyhow, but that turned out to be confusion with the unfortunate way our Active Directory (*spit*) is set up.) See also <http://arc.liv.ac.uk/SGE/workshop10-12.09.07/K5SGE.pdf>. [OGS appears committed to making the Kerberos support work <http://sourceforge.net/mailarchive/message.php?msg_id=27641127>, however inadvisable.] -- Community Grid Engine: http://arc.liv.ac.uk/SGE/ _______________________________________________ users mailing list [email protected] https://gridengine.org/mailman/listinfo/users
