condor_check_password
Examine HTCondor key files, looking for keys that prior version of HTCondor will not fully read.
Synopsis
condor_check_password <-h | --help>
condor_check_password [--truncate] [key]
Description
Versions of HTCondor before 8.9.12 contained contained a bug in the code used to read the pool password (hence the name of the tool): in some cases the read would be truncated before end of the file. Because the same code is used to read IDTOKENS signing keys, this bug affects the IDTOKENS authorization method, as well.
There was no backwards-compatible fix: versions 8.9.12 and later may read the same file differently than earlier versions, meaning that tokens issued before 8.9.12 may not be recognized by later versions.
This tool detects key files which will not be fully read by earlier versions of HTCondor. IDTOKENS generated by such a key will not be accepted by later versions (which read the whole key file). If you choose to truncate these files on disk, later version of HTCondor will read only the same bits as earlier versions, allowing them to accept tokens issued by earlier versions, at the cost of weakening your pool’s resistance to brute-force attacks.
By default, this tool checks all the key files that will be found by the current HTCondor configuration; you may specify a specific key or keys to check, instead.
Options
- -h, --help
Print a usage reminder.
- --truncate
When a potentially insecure key is encountered, truncate it to match the behavior prior to version 8.9.12.
Exit Status
Exits with code 0 if there were no signing keys to check or if all of the checked keys were OK. Exits with code 1 if at least one checked key was not OK. Exits non-zero if a problem was encountered along the way.