[slurm-users] ssh-keys on compute nodes?

Michael Jennings mej at lanl.gov
Tue Jun 9 15:45:08 UTC 2020

On Tuesday, 09 June 2020, at 12:43:34 (+0200),
Ole Holm Nielsen wrote:

> in which case you need to set up SSH authorized_keys files for such
> users.

I'll admit that I didn't know about this until I came to LANL, but
there's actually a much better alternative than having to create user
key pairs and manage users' ~/.ssh/authorized_keys files:  Host-based

Setting "HostbasedAuthentication yes" and configuring it properly on
all the cluster hosts allows a cryptographically-secured equivalent of
what used to be known as RHosts-style Authentication using ~/.rhosts
and /etc/hosts.equiv.  Essentially, it allows host-key-authenticated
systems to recognize each other, and once that completes successfully,
the target host trusts the source host to accurately introduce the
user who's logging in.

Once you have host-based authentication working, users can SSH around
inside your cluster seamlessly (subject to additional restrictions, of
course, like access.conf or pam_slurm_adopt) without needing hackish
extra utilities to create and manage cluster-specific passphraseless
key pairs for every single user! :-)

There's a great cookbook online that tells you step-by-step how to set
it up:  https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication


Michael E. Jennings <mej at lanl.gov>
HPC Systems Team, Los Alamos National Laboratory
Bldg. 03-2327, Rm. 2341     W: +1 (505) 606-0605

More information about the slurm-users mailing list