MUNGE Uid N Gid Emporium

Description

MUNGE Uid N Gid Emporium is an authentication service for creating and validating credentials. It is designed to be highly scalable for use in an HPC cluster environment. It allows a process to authenticate the UID and GID of another local or remote process within a group of hosts having common users and groups. These hosts form a security realm that is defined by a shared cryptographic key. Clients within this security realm can create and validate credentials without the use of root privileges, reserved ports, or platform-specific methods. Rationale The need for MUNGE arose out of the HPC cluster environment. Consider the scenario in which a local daemon running on a login node receives a client request and forwards it on to remote daemons running on compute nodes within the cluster. Since the user has already logged on to the login node, the local daemon just needs a reliable means of ascertaining the UID and GID of the client process. Furthermore, the remote daemons need a mechanism to ensure the forwarded authentication data has not been subsequently altered. A common solution to this problem is to use Unix domain sockets to determine the identity of the local client, and then forward this information on to remote hosts via trusted rsh connections. But this presents several new problems. First, there is no portable API for determining the identity of a client over a Unix domain socket. Second, rsh connections must originate from a reserved port; the limited number of reserved ports available on a given host directly limits scalability. Third, root privileges are required in order to bind to a reserved port. Finally, the remote daemons have no means of determining whether the client identity is authentic. Overview A process creates a credential by requesting one from the local MUNGE service. The encoded credential contains the UID and GID of the originating process. This process sends the credential to another process within the security realm as a means of proving its identity. The receiving process validates the credential with the use of its local MUNGE service. The decoded credential provides the receiving process with a reliable means of ascertaining the UID and GID of the originating process. This information can be used for accounting or access control decisions. The contents of the credential (including any optional payload data) are encrypted with a key shared by all munged daemons within the security realm. The integrity of the credential is ensured by a message authentication code (MAC). The credential is valid for a limited time defined by its time-to-live (TTL). The daemon ensures unexpired credentials are not replayed on a particular host. Decoding of a credential can be restricted to a particular user and/or group ID. The payload data can be used for purposes such as embedding the destinations address to ensure the credential is only valid on a specific host. The internal format of the credential is encoded in a platform-independent manner. And the credential itself is base64 encoded to allow it to be transmitted over virtually any transport. Whats New in This Release: · A bug was fixed that caused stack corruption on AMD-64 when using Libgcrypt.. This server is a central point for development, distribution and maintainance of software. It runs on Savane.

Munge - Authentication Service - Credential - Emporium - Process - Authentication - Service - Uid - Gid - Security - Miscellaneous

Published By:Chris Dunlap

License Type:Freeware

Date Added:22 October, 2010

Version:0.5.8

Price:Free

Downloads:46

Size:358.4 KB

Platform: Linux

What people say
- required fields
     
Related Downloads

CORBA::IOP::IOR is a Perl module used to decode, munge, and re-encode CORBA IORs. SYNOPSIS #!

DateSep 18, 2010

AuthorPhilip Aston

Size8.2 KB

LicenseFreeware

PriceFree

PlatformLinux

CategoryLinux Programming

phpCAS is a PHP client library for CAS (Central Authentication Service). phpCAS is a simple interface to ITS Central Authentication Service for PHP web applications.

DateOct 11, 2010

AuthorPascal Aubry

Size307.2 KB

LicenseFreeware

PriceFree

PlatformLinux

CategoryLinux Programming

Catalyst::Plugin::Authentication::Credential::BBAuth is a Yahoo! Browser-Based Authentication for Catalyst.

DateAug 17, 2010

AuthorJiro Nishiguchi

Size3.1 KB

LicenseFreeware

PriceFree

PlatformLinux

CategoryLinux Programming

Sun::Solaris::Ucred is a Perl interface to User Credentials. SYNOPSIS use Sun::Solaris::Ucred qw(:ALL); This module provides wrappers for the Ucred-related system and library calls.

DateSep 16, 2010

AuthorSun::Solaris::Ucred team

Size5.1 KB

LicenseFreeware

PriceFree

PlatformLinux

CategoryLinux Programming

vdbmaster is a simple program that its meant to easy the process of burning movies to a DVD. It uses growisofs to write the disc, and the VideoDB database for selecting the movies to write and keeping records of where your movies are stored.

DateAug 10, 2010

AuthorAlberto Mardegan

Size19.5 KB

LicenseFreeware

PriceFree

PlatformLinux

CategoryLinux Multimedia