NAME
munge - MUNGE overview
INTRODUCTION
MUNGE (MUNGE Uid ’N’ Gid Emporium) is an authentication service for
creating and validating credentials. It is designed to be highly
scalable for use in an HPC cluster environment. It allows a process to
authenticate the UID and GID of another local or remote process within
a group of hosts having common users and groups. These hosts form a
security realm that is defined by a shared cryptographic key. Clients
within this security realm can create and validate credentials without
the use of root privileges, reserved ports, or platform-specific
methods.
RATIONALE
The need for MUNGE arose out of the HPC cluster environment. Consider
the scenario in which a local daemon running on a login node receives a
client request and forwards it on to remote daemons running on compute
nodes within the cluster. Since the user has already logged on to the
login node, the local daemon just needs a reliable means of
ascertaining the UID and GID of the client process. Furthermore, the
remote daemons need a mechanism to ensure the forwarded authentication
data has not been subsequently altered.
A common solution to this problem is to use Unix domain sockets to
determine the identity of the local client, and then forward this
information on to remote hosts via trusted rsh connections. But this
presents several new problems. First, there is no portable API for
determining the identity of a client over a Unix domain socket.
Second, rsh connections must originate from a reserved port; the
limited number of reserved ports available on a given host directly
limits scalability. Third, root privileges are required in order to
bind to a reserved port. Finally, the remote daemons have no means of
determining whether the client identity is authentic.
OVERVIEW
A process creates a credential by requesting one from the local MUNGE
service. The encoded credential contains the UID and GID of the
originating process. This process sends the credential to another
process within the security realm as a means of proving its identity.
The receiving process validates the credential with the use of its
local MUNGE service. The decoded credential provides the receiving
process with a reliable means of ascertaining the UID and GID of the
originating process. This information can be used for accounting or
access control decisions.
The contents of the credential (including any optional payload data)
are encrypted with a key shared by all munged daemons within the
security realm. The integrity of the credential is ensured by a
message authentication code (MAC). The credential is valid for a
limited time defined by its time-to-live (TTL). The daemon ensures
unexpired credentials are not replayed on a particular host. Decoding
of a credential can be restricted to a particular user and/or group ID.
The payload data can be used for purposes such as embedding the
destination’s address to ensure the credential is only valid on a
specific host. The internal format of the credential is encoded in a
platform-independent manner. And the credential itself is base64
encoded to allow it to be transmitted over virtually any transport.
AUTHOR
Chris Dunlap <cdunlap@llnl.gov>
COPYRIGHT
Copyright (C) 2007-2010 Lawrence Livermore National Security, LLC.
Copyright (C) 2002-2007 The Regents of the University of California.
MUNGE is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your
option) any later version. Additionally for the MUNGE library
(libmunge), you can redistribute it and/or modify it under the terms of
the GNU Lesser General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any
later version.
SEE ALSO
munge(1), remunge(1), unmunge(1), munge(3), munge_ctx(3),
munge_enum(3), munged(8).
http://home.gna.org/munge/