[slurm-users] [External] Re: ssh-keys on compute nodes?

Prentice Bisbal pbisbal at pppl.gov
Wed Jun 10 17:43:03 UTC 2020


Gladly! User based security means that you need to enter a user password 
or something similar like kerberos keys or SSH keys to authenticate with 
a different hosts. In every place I've worked, passwordless ssh keys 
were forbidden, so even if using SSH keys, that ssh key would need to be 
unlocked with with the password the first time it's used. In this 
scenario, if a user account is compromised on one system, the damage is 
limited to that system.

With host-based security, all the hosts in the trusted group allow users 
to go from one machine to the other without using a password. In this 
case, if a user account is compromised on one system, then that user 
account now compromised on *every* system in the trusted group.

Does that make sense?

There's a reason why host-based authentication is not the default 
behavior in SSH.

Prentice

On 6/9/20 3:34 PM, Ole Holm Nielsen wrote:
> Hi Prentice,
>
> Could you kindly elaborate on this statement?  Is host-based security 
> safe inside a compute cluster compared to user-based SSH keys?
>
> Thanks,
> Ole
>
>
> On 09-06-2020 21:26, Prentice Bisbal wrote:
>> Host-based security is not considered as safe as user-based security, 
>> so should only be used in special cases.
>>
>> On 6/9/20 11:45 AM, Michael Jennings wrote:
>>> On Tuesday, 09 June 2020, at 12:43:34 (+0200),
>>> Ole Holm Nielsen wrote:
>>>
>>>> in which case you need to set up SSH authorized_keys files for such
>>>> users.
>>> I'll admit that I didn't know about this until I came to LANL, but
>>> there's actually a much better alternative than having to create user
>>> key pairs and manage users' ~/.ssh/authorized_keys files: Host-based
>>> Authentication.
>>>
>>> Setting "HostbasedAuthentication yes" and configuring it properly on
>>> all the cluster hosts allows a cryptographically-secured equivalent of
>>> what used to be known as RHosts-style Authentication using ~/.rhosts
>>> and /etc/hosts.equiv.  Essentially, it allows host-key-authenticated
>>> systems to recognize each other, and once that completes successfully,
>>> the target host trusts the source host to accurately introduce the
>>> user who's logging in.
>>>
>>> Once you have host-based authentication working, users can SSH around
>>> inside your cluster seamlessly (subject to additional restrictions, of
>>> course, like access.conf or pam_slurm_adopt) without needing hackish
>>> extra utilities to create and manage cluster-specific passphraseless
>>> key pairs for every single user! :-)
>>>
>>> There's a great cookbook online that tells you step-by-step how to set
>>> it up: 
>>> https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication 
>>>
>
-- 
Prentice Bisbal
Lead Software Engineer
Research Computing
Princeton Plasma Physics Laboratory
http://www.pppl.gov




More information about the slurm-users mailing list