[gold-users] Authentication of users in Gold
scott at clusterresources.com
Thu Aug 2 20:28:21 MDT 2007
On Thu, 2007-08-02 at 23:46 +0200, Artem Harutyunyan wrote:
> I have several questions concerning Gold
> - How Gold server authenticates the users? I have captured the gold
> packets using sniffer, and noticed that the name of the user is sent
> the as the value of 'actor' attribute. What I want to know, is how
> server figures out whether the request is really sent let's say from
> 'amy', or it is 'bob' trying to impersonate 'amy'.
> - In the XML sent from client to server, there is an element called
> 'Signature', which has inside, 'SignatureValue' (according to SSSRMAP
> protocol specification is the signature over the <Body> element). Is
> that signature generated using the password kept in
> $GOLD_HOME/etc/auth_key ?
Yes, that is correct. Because the clients are setuid to gold, the
suidperl feature allows the client to read the key from auth_key without
allowing the user to actually obtain and read it. The client verifies
that the specified actor is the same as the user invoking the request
and uses this key to create the digest against the body which is sent in
the signature. The server uses its own copy of the key to compute a
digest on the body and verify that they match. If so, we know that the
actor has been properly verified to be the invoker of the command.
> - SSSRMAP protocol supports six security token types, among them
> GSI(X.509) and 'Asymmetric key'. Which of the supported authentication
> methods are implemented in Gold ?
Really only password and Symmetric Key are implemented in Gold at this
> - When I tried to start Gold for the first time I've got an error
> about missing 'sperl'. The error went away after installation of
> 'suidperl'. As far as I know, use of this package is deprecated due to
> security issues. Why does gold need that to run ? Is that possible to
> run Gold without having 'suidperl' ?
As explained above, it is the suidperl/sperl functionality that allows
the user to use the secret key without being able to obtain or read it.
It is possible to install gold without suidperl, but then commands will
be limited to the gold user. Other users will not be able to run gold
It may be possible to enable password-enabled clients, but your users
would have to type a password every time they tried to invoke a command
-- which I think most would consider untenable. The GUI does use this,
however, because the browser has no other way to verify the user. Once a
user is logged in, their password is cached for that session.
It might also be possible in the future to enable some of the other
security protocols defined in SSSRMAP (GSI, Assymetric key), but this
would have to be a development effort sanctioned by my employer at this
time, because my free time on this project is very limited.
> Thank you in advance for your help,
> gold-users mailing list
> gold-users at supercluster.org
More information about the gold-users