|
Packit |
9fb438 |
INTRODUCTION
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
MUNGE (MUNGE Uid 'N' Gid Emporium) is an authentication service for creating
|
|
Packit |
9fb438 |
and validating credentials. It is designed to be highly scalable for use
|
|
Packit |
9fb438 |
in an HPC cluster environment. It allows a process to authenticate the
|
|
Packit |
9fb438 |
UID and GID of another local or remote process within a group of hosts
|
|
Packit |
9fb438 |
having common users and groups. These hosts form a security realm that is
|
|
Packit |
9fb438 |
defined by a shared cryptographic key. Clients within this security realm
|
|
Packit |
9fb438 |
can create and validate credentials without the use of root privileges,
|
|
Packit |
9fb438 |
reserved ports, or platform-specific methods.
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
RATIONALE
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
The need for MUNGE arose out of the HPC cluster environment. Consider the
|
|
Packit |
9fb438 |
scenario in which a local daemon running on a login node receives a client
|
|
Packit |
9fb438 |
request and forwards it on to remote daemons running on compute nodes within
|
|
Packit |
9fb438 |
the cluster. Since the user has already logged on to the login node, the
|
|
Packit |
9fb438 |
local daemon just needs a reliable means of ascertaining the UID and GID
|
|
Packit |
9fb438 |
of the client process. Furthermore, the remote daemons need a mechanism to
|
|
Packit |
9fb438 |
ensure the forwarded authentication data has not been subsequently altered.
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
A common solution to this problem is to use Unix domain sockets to
|
|
Packit |
9fb438 |
determine the identity of the local client, and then forward this
|
|
Packit |
9fb438 |
information on to remote hosts via trusted rsh connections. But this
|
|
Packit |
9fb438 |
presents several new problems. First, there is no portable API for
|
|
Packit |
9fb438 |
determining the identity of a client over a Unix domain socket. Second,
|
|
Packit |
9fb438 |
rsh connections must originate from a reserved port; the limited number
|
|
Packit |
9fb438 |
of reserved ports available on a given host directly limits scalability.
|
|
Packit |
9fb438 |
Third, root privileges are required in order to bind to a reserved port.
|
|
Packit |
9fb438 |
Finally, the remote daemons have no means of determining whether the
|
|
Packit |
9fb438 |
client identity is authentic. MUNGE solves all of these problems.
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
USAGE
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
A process creates a credential by requesting one from the local
|
|
Packit |
9fb438 |
MUNGE service, either via the munge_encode() C library call or the
|
|
Packit |
9fb438 |
munge executable. The encoded credential contains the UID and GID of
|
|
Packit |
9fb438 |
the originating process. This process sends the credential to another
|
|
Packit |
9fb438 |
process within the security realm as a means of proving its identity.
|
|
Packit |
9fb438 |
The receiving process validates the credential with the use of its local
|
|
Packit |
9fb438 |
MUNGE service, either via the munge_decode() C library call or the unmunge
|
|
Packit |
9fb438 |
executable. The decoded credential provides the receiving process with a
|
|
Packit |
9fb438 |
reliable means of ascertaining the UID and GID of the originating process.
|
|
Packit |
9fb438 |
This information can be used for accounting or access control decisions.
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
DETAILS
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
The contents of the credential (including any optional payload data) are
|
|
Packit |
9fb438 |
encrypted with a key shared by all munged daemons within the security realm.
|
|
Packit |
9fb438 |
The integrity of the credential is ensured by a message authentication
|
|
Packit |
9fb438 |
code (MAC). The credential is valid for a limited time defined by its
|
|
Packit |
9fb438 |
time-to-live (TTL); this presumes clocks within a security realm are
|
|
Packit |
9fb438 |
in sync. Unexpired credentials are tracked by the local munged daemon in
|
|
Packit |
9fb438 |
order to prevent replay attacks on a given host. Decoding of a credential
|
|
Packit |
9fb438 |
can be restricted to a particular user and/or group ID. The payload data
|
|
Packit |
9fb438 |
can be used for purposes such as embedding the destination's address to
|
|
Packit |
9fb438 |
ensure the credential is only valid on a specific host. The internal
|
|
Packit |
9fb438 |
format of the credential is encoded in a platform-independent manner.
|
|
Packit |
9fb438 |
And the credential itself is base64 encoded to allow it to be transmitted
|
|
Packit |
9fb438 |
over virtually any transport.
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
LICENSE
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
MUNGE is free software: you can redistribute it and/or modify it under
|
|
Packit |
9fb438 |
the terms of the GNU General Public License as published by the Free
|
|
Packit |
9fb438 |
Software Foundation, either version 3 of the License, or (at your option)
|
|
Packit |
9fb438 |
any later version.
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
Additionally for the MUNGE library (libmunge), you can redistribute it
|
|
Packit |
9fb438 |
and/or modify it under the terms of the GNU Lesser General Public License
|
|
Packit |
9fb438 |
as published by the Free Software Foundation, either version 3 of the
|
|
Packit |
9fb438 |
License, or (at your option) any later version.
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
KEYS
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
Releases are signed with the following GPG key:
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
pub 4096R/0x3B7ECB2B30DE0871 2011-10-01
|
|
Packit |
9fb438 |
Key fingerprint = A441 880C 3D4C 7C36 C5DD 41E1 3B7E CB2B 30DE 0871
|
|
Packit |
9fb438 |
uid Chris Dunlap <chris.m.dunlap@gmail.com>
|
|
Packit |
9fb438 |
uid Chris Dunlap <cdunlap@llnl.gov>
|
|
Packit |
9fb438 |
uid Chris Dunlap <dun@imsa.edu>
|
|
Packit |
9fb438 |
sub 4096R/0x48A5CADDECA74B8A 2011-10-01
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
HOMEPAGE
|
|
Packit |
9fb438 |
|
|
Packit |
9fb438 |
https://dun.github.io/munge/
|