How to enable pool password authentication

If would like to enable a simple method for authenticating daemon-to-daemon communication, pool password is very straightforward. Upon setting up pool password authentication, your HTCondor daemons will only trust other HTCondor daemons that are able to read a secret password that is stored on on each machine in a file that is readable only by the system. This will effectively prevent unauthorized machines from joining your pool, and also prevent users from starting their own HTCondor daemons on machines authorized with host-based (IP address) authentication. However, pool password authentication may not be a good idea if you are federating HTCondor pools across administrative domains via flocking (in or out), since it requires all machines to share the same secret password file.

INSTRUCTIONS FOR LINUX

On Linux, you need to tell HTCondor where to store the password. If you installed from an RPM, /etc/condor should already exist. Otherwise, you can create it as root and set the permissions to 0755.

Add the following lines to enable the pool password method in the condor_config file:

SEC_PASSWORD_FILE = /etc/condor/condor_pool_password
SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
SEC_NEGOTIATOR_INTEGRITY = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION = REQUIRED
SEC_NEGOTIATOR_AUTHENTICATION_METHODS = PASSWORD
SEC_CLIENT_AUTHENTICATION_METHODS = FS, PASSWORD
ALLOW_DAEMON = condor_pool@*

NOTE: If you have configured any other authentication methods, make sure to keep them in the list of CLIENT methods.

Then, on each machine in your pool, run this command as root:

condor_store_cred -c add
And it will prompt you for the password. You can optionally use -p on the command line to avoid prompting for the password. Alternatively you can simply copy the file /etc/condor/condor_pool_password to all machines once have set it. If you do so, make sure to verify the permissions (0600) and ownership (root).

INSTRUCTIONS FOR WINDOWS

On Windows, the pool password is stored in the secure area of the registry, so you do not need to specify its location yourself.

Add the following lines to enable the pool password method in the condor_config file:

SEC_DAEMON_INTEGRITY = REQUIRED
SEC_DAEMON_AUTHENTICATION = REQUIRED
SEC_DAEMON_AUTHENTICATION_METHODS = PASSWORD
SEC_CLIENT_AUTHENTICATION_METHODS = NTSSPI, PASSWORD
ALLOW_DAEMON = condor_pool@*

NOTE: If you have configured any other authentication methods, make sure to keep them in the list of CLIENT methods.

Then, on each machine in your pool, run this command as LOCAL/System:

condor_store_cred -c add
And it will prompt you for the password. You can optionally use -p on the command line to avoid prompting for the password.

INSTRUCTIONS FOR ALL PLATFORMS

If your HTCondor daemons were already running when you made these changes, don't forget to reconfigure your pool to have the new settings take effect:

condor_reconfig -all