How to enable pool password authentication
If would like to enable a simple method for authenticating daemon-to-daemon communication, pool password is very straightforward. Upon setting up pool password authentication, your HTCondor daemons will only trust other HTCondor daemons that are able to read a secret password that is stored on on each machine in a file that is readable only by the system. This will effectively prevent unauthorized machines from joining your pool, and also prevent users from starting their own HTCondor daemons on machines authorized with host-based (IP address) authentication. However, pool password authentication may not be a good idea if you are federating HTCondor pools across administrative domains via flocking (in or out), since it requires all machines to share the same secret password file.
INSTRUCTIONS FOR LINUX
On Linux, you need to tell HTCondor where to store the password. If you installed from an RPM, /etc/condor should already exist. Otherwise, you can create it as root and set the permissions to 0755.
Add the following lines to enable the pool password method in the condor_config file:
SEC_PASSWORD_FILE = /etc/condor/condor_pool_password SEC_DAEMON_INTEGRITY = REQUIRED SEC_DAEMON_AUTHENTICATION = REQUIRED SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD SEC_NEGOTIATOR_INTEGRITY = REQUIRED SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED SEC_NEGOTIATOR_AUTHENTICATION_METHODS = PASSWORD SEC_CLIENT_AUTHENTICATION_METHODS = FS, PASSWORD ALLOW_DAEMON = condor_pool@*
NOTE: If you have configured any other authentication methods, make sure to keep them in the list of CLIENT methods.
Then, on each machine in your pool, run this command as root:
condor_store_cred -c add
-p on the command line to avoid prompting for the password. Alternatively you can simply copy the file /etc/condor/condor_pool_password to all machines once have set it. If you do so, make sure to verify the permissions (0600) and ownership (root).
INSTRUCTIONS FOR WINDOWS
On Windows, the pool password is stored in the secure area of the registry, so you do not need to specify its location yourself.
Add the following lines to enable the pool password method in the condor_config file:
SEC_DAEMON_INTEGRITY = REQUIRED SEC_DAEMON_AUTHENTICATION = REQUIRED SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD ALLOW_DAEMON = condor_pool@*
NOTE: If you have configured any other authentication methods, make sure to keep them in the list of CLIENT methods.
Then, on each machine in your pool, run this command as LOCAL/System:
condor_store_cred -c add
-p on the command line to avoid prompting for the password.
INSTRUCTIONS FOR ALL PLATFORMS
If your HTCondor daemons were already running when you made these changes, don't forget to reconfigure your pool to have the new settings take effect:
condor_reconfig -all