Kerberos support


#1

There seems to be Kerberos integration code in the code base (guarded behind PBS_CRED_DCE_KRB5), but I wasn’t able to find any configure switches to actually enable the code.

Could you direct me to the correct configure switch to enable this code?


#2

Kerberos was a supported feature many moons ago. It’s quite likely that it could be made to work again, but it would take some amount of effort. It would certainly be possible to add a new macro under the m4 directory to define the PBS_CRED_DCE_KRB5 flag, but that’s just where the fun begins. DCE used to use an extended version of Kerberos as a ticket based authentication mechanism upon which services like DCE/DFS were built. I don’t think there is anything in the code that is DCE/DFS specific, but if there is we should remove it. Of course, unit testing this type of setup would also take some significant amount of effort. The gauntlet has been thrown down. Would you care to answer the challenge?


#3

Well, we have full Kerberos support for Torque. It’s used in a sizeable production environment.

We will have to either port it to PBSPro, or adjust the current code in PBSPro. I was mainly trying to figure out what is the status of the code I’m seeing.


#4

The current Kerberos code could certainly use work. We last tested the kerberos functionality several years back.

See include/libsec.h
#define STD 0 /* standard PBS security (pbs_iff program) /
#define KAUTH 1 /
kerberized PBS with authentication only /
#define KCRYPT 2 /
kerberized with authentication, encryption */

The encryption related code is probably somewhat incomplete, but the authentication piece should work with minor modification between clients commands and server.

However, we recently replaced the RPP protocol (UDP based) between the server and moms with a full TCP based communication (called TPP), and there we had implemented authentication using the munge authentication.

So the bigger work would be to implement kerberos authentication/encryption over the the TPP protocol.

I have some notes I had made several years back on the kerberos code when I last worked on it; probably can search and find it if you care.


#5

Trying to get through the code, I have also discovered PBS_CRED_GRIDPROXY which again does not seem to be hooked up to configure option.

Is this used by anybody, or should I just merge all the Kerberos code into a cleaned up comprehensive implementation (probably won’t support all the use cases though).


#6

@HappyCerberus, the kerberos option is not used by anybody in the recent versions of pbs AFAIK. I think the community would love to have the kerberos code merged and cleaned up into a comprehensive implementation. It would be fine to start with some minimal use cases and then expand over time.

Regards,
Subhasis