[slurm-users] [External] Re: ssh-keys on compute nodes?
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Tue Jun 9 19:34:45 UTC 2020
Hi Prentice,
Could you kindly elaborate on this statement? Is host-based security
safe inside a compute cluster compared to user-based SSH keys?
Thanks,
Ole
On 09-06-2020 21:26, Prentice Bisbal wrote:
> Host-based security is not considered as safe as user-based security, so
> should only be used in special cases.
>
> On 6/9/20 11:45 AM, Michael Jennings wrote:
>> On Tuesday, 09 June 2020, at 12:43:34 (+0200),
>> Ole Holm Nielsen wrote:
>>
>>> in which case you need to set up SSH authorized_keys files for such
>>> users.
>> I'll admit that I didn't know about this until I came to LANL, but
>> there's actually a much better alternative than having to create user
>> key pairs and manage users' ~/.ssh/authorized_keys files: Host-based
>> Authentication.
>>
>> Setting "HostbasedAuthentication yes" and configuring it properly on
>> all the cluster hosts allows a cryptographically-secured equivalent of
>> what used to be known as RHosts-style Authentication using ~/.rhosts
>> and /etc/hosts.equiv. Essentially, it allows host-key-authenticated
>> systems to recognize each other, and once that completes successfully,
>> the target host trusts the source host to accurately introduce the
>> user who's logging in.
>>
>> Once you have host-based authentication working, users can SSH around
>> inside your cluster seamlessly (subject to additional restrictions, of
>> course, like access.conf or pam_slurm_adopt) without needing hackish
>> extra utilities to create and manage cluster-specific passphraseless
>> key pairs for every single user! :-)
>>
>> There's a great cookbook online that tells you step-by-step how to set
>> it up:
>> https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication
More information about the slurm-users
mailing list