Opened 10 years ago

Last modified 9 years ago

#714 new enhancement

IZ3118: Delegate Kerberos credentials for built-in rsh/rlongin methods

Reported by: ondrej Owned by:
Priority: normal Milestone:
Component: sge Version: 6.2u3
Severity: Keywords: Linux communication
Cc:

Description

[Imported from gridengine issuezilla http://gridengine.sunsource.net/issues/show_bug.cgi?id=3118]

        Issue #:      3118                Platform:     All           Reporter: ondrej (ondrej)
       Component:     gridengine             OS:        Linux
     Subcomponent:    communication       Version:      6.2u3            CC:    None defined
        Status:       NEW                 Priority:     P3
      Resolution:                        Issue type:    ENHANCEMENT
                                      Target milestone: ---
      Assigned to:    crei (crei)
      QA Contact:     crei
          URL:
       * Summary:     Delegate Kerberos credentials for built-in rsh/rlongin methods
   Status whiteboard:
      Attachments:

     Issue 3118 blocks:
   Votes for issue 3118:


   Opened: Wed Aug 26 02:59:00 -0700 2009 
------------------------


When using built-in rsh/rlogin methods, SGE should honor (and forward) user's Kerberos TGT (ticket granting ticket) the same way ssh does by
default.
This is important in environment where fully kerberized NFSv4 is used as access to the NFS share is rejected if no valid TGT is found.
Example:

[victim@dorado_v1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_999_bV9I5o
Default principal: victim@PRAGUE.AD.S3GROUP.COM

Valid starting     Expires            Service principal
08/26/09 10:06:25  08/26/09 20:06:29  krbtgt/PRAGUE.AD.S3GROUP.COM@PRAGUE.AD.S3GROUP.COM
        renew until 08/27/09 10:06:25
08/26/09 10:23:41  08/26/09 20:06:29  nfs/melnik.prague.s3group.com@PRAGUE.AD.S3GROUP.COM
        renew until 08/27/09 10:06:25


Kerberos 4 ticket cache: /tmp/tkt999
klist: You have no tickets cached
[victim@dorado_v1 ~]$ ls
Desktop  krbtest  monday_press_demo.mpg  test1.txt  test.txt  test.txt2
[victim@dorado_v1 ~]$ qlogin
Your job 212 ("QLOGIN") has been submitted
waiting for interactive job to be scheduled ...
Your interactive job 212 has been successfully scheduled.
Establishing builtin session to host deneb.prague.s3group.com ...
[victim@deneb 212.1]$ cd ~
/home/victim: Permission denied.
[victim@deneb 212.1]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_999)


Kerberos 4 ticket cache: /tmp/tkt999
klist: You have no tickets cached
[victim@deneb 212.1]$

.... As you can see, access to my home directory is forbidden on the remote execution node because my TGT was not forwarded....
Ondrej

Change History (0)

Note: See TracTickets for help on using tickets.