<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Nice write-up Ole!</p>
<p>I especially like the statement (emphasis added):</p>
<p><span style="color: rgb(0, 0, 0); font-family: Arial,
"Lucida Grande", sans-serif; font-size: 16px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; orphans: 2; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;"> <font face="Times New Roman,
Times, serif">For security reasons it is strongly recommended<span> </span></font></span><font
face="Times New Roman, Times, serif"><strong style="color:
rgb(0, 0, 0); font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
letter-spacing: normal; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255); text-decoration-style: initial;
text-decoration-color: initial;">not</strong><span
style="color: rgb(0, 0, 0); font-size: 16px; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal; text-align:
left; text-indent: 0px; text-transform: none; white-space:
normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;"><span> </span>to include the Slurm
servers<span> </span></span><a class="http reference external"
href="http://slurm.schedmd.com/slurmctld.html" style="border:
0px none; color: rgb(127, 95, 71); font-size: 16px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; text-align: left; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255);">slurmctld</a><span style="color: rgb(0, 0, 0);
font-size: 16px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255); text-decoration-style: initial;
text-decoration-color: initial; display: inline !important;
float: none;"><span> </span>and<span> </span></span><a
class="http reference external"
href="http://slurm.schedmd.com/slurmdbd.html" style="border:
0px none; color: rgb(127, 95, 71); font-size: 16px;
font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; text-align: left; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255);">slurmdbd</a><span style="color: rgb(0, 0, 0);
font-size: 16px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: 400;
letter-spacing: normal; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255); text-decoration-style: initial;
text-decoration-color: initial; display: inline !important;
float: none;"><span> </span>hosts in the<span> </span></span><a
class="https reference external"
href="https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication"
style="border: 0px none; color: rgb(127, 95, 71); font-size:
16px; font-style: normal; font-variant-ligatures: normal;
font-variant-caps: normal; font-weight: 400; letter-spacing:
normal; text-align: left; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255,
255, 255);">Host-based_Authentication</a><span style="color:
rgb(0, 0, 0); font-size: 16px; font-style: normal;
font-variant-ligatures: normal; font-variant-caps: normal;
font-weight: 400; letter-spacing: normal; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255); text-decoration-style:
initial; text-decoration-color: initial; display: inline
!important; float: none;"><span> </span>because <font
color="#ff0000"><i><b>normal users have no business on those
servers!</b></i></font></span></font></p>
<p>Brian Andrus</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 6/17/2020 1:26 AM, Ole Holm Nielsen
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d11bdb3e-b1ec-528e-2527-af4a82e20cb1@fysik.dtu.dk">On
6/9/20 5:45 PM, Michael Jennings wrote:
<br>
<blockquote type="cite">On Tuesday, 09 June 2020, at 12:43:34
(+0200),
<br>
Ole Holm Nielsen wrote:
<br>
<br>
<blockquote type="cite">in which case you need to set up SSH
authorized_keys files for such
<br>
users.
<br>
</blockquote>
<br>
I'll admit that I didn't know about this until I came to LANL,
but
<br>
there's actually a much better alternative than having to create
user
<br>
key pairs and manage users' ~/.ssh/authorized_keys files:
Host-based
<br>
Authentication.
<br>
<br>
Setting "HostbasedAuthentication yes" and configuring it
properly on
<br>
all the cluster hosts allows a cryptographically-secured
equivalent of
<br>
what used to be known as RHosts-style Authentication using
~/.rhosts
<br>
and /etc/hosts.equiv. Essentially, it allows
host-key-authenticated
<br>
systems to recognize each other, and once that completes
successfully,
<br>
the target host trusts the source host to accurately introduce
the
<br>
user who's logging in.
<br>
<br>
Once you have host-based authentication working, users can SSH
around
<br>
inside your cluster seamlessly (subject to additional
restrictions, of
<br>
course, like access.conf or pam_slurm_adopt) without needing
hackish
<br>
extra utilities to create and manage cluster-specific
passphraseless
<br>
key pairs for every single user! :-)
<br>
</blockquote>
<br>
The host-based SSH authentication is a good idea, but only inside
the cluster's security perimeter, and one should not trust
computers external to the cluster nodes in this way.
<br>
<br>
I was looking at the OpenSSH documentation and the cookbooks on
the net for configuring host-based SSH authentication. The
information can be a little imprecise, so after a good deal of
testing I've written a new section in my Wiki page for Slurm on
CentOS 7 systems:
<br>
<br>
<a class="moz-txt-link-freetext" href="https://wiki.fysik.dtu.dk/niflheim/SLURM#ssh-keys-for-password-less-access-to-cluster-nodes">https://wiki.fysik.dtu.dk/niflheim/SLURM#ssh-keys-for-password-less-access-to-cluster-nodes</a>
<br>
<br>
This also includes ways to gather SSH public keys from the cluster
nodes.
<br>
<br>
Comments are welcome.
<br>
<br>
Best regards,
<br>
Ole
<br>
<br>
</blockquote>
</body>
</html>