[slurm-users] [External] Re: ssh-keys on compute nodes?
Prentice Bisbal
pbisbal at pppl.gov
Tue Jun 9 19:26:36 UTC 2020
Host-based security is not considered as safe as user-based security, so
should only be used in special cases.
On 6/9/20 11:45 AM, Michael Jennings wrote:
> On Tuesday, 09 June 2020, at 12:43:34 (+0200),
> Ole Holm Nielsen wrote:
>
>> in which case you need to set up SSH authorized_keys files for such
>> users.
> I'll admit that I didn't know about this until I came to LANL, but
> there's actually a much better alternative than having to create user
> key pairs and manage users' ~/.ssh/authorized_keys files: Host-based
> Authentication.
>
> Setting "HostbasedAuthentication yes" and configuring it properly on
> all the cluster hosts allows a cryptographically-secured equivalent of
> what used to be known as RHosts-style Authentication using ~/.rhosts
> and /etc/hosts.equiv. Essentially, it allows host-key-authenticated
> systems to recognize each other, and once that completes successfully,
> the target host trusts the source host to accurately introduce the
> user who's logging in.
>
> Once you have host-based authentication working, users can SSH around
> inside your cluster seamlessly (subject to additional restrictions, of
> course, like access.conf or pam_slurm_adopt) without needing hackish
> extra utilities to create and manage cluster-specific passphraseless
> key pairs for every single user! :-)
>
> There's a great cookbook online that tells you step-by-step how to set
> it up: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication
>
> HTH!
> Michael
>
--
Prentice Bisbal
Lead Software Engineer
Research Computing
Princeton Plasma Physics Laboratory
http://www.pppl.gov
More information about the slurm-users
mailing list