[slurm-users] [External] Re: ssh-keys on compute nodes?
Durai Arasan
arasan.durai at gmail.com
Tue Jun 16 13:17:55 UTC 2020
Thank you. We are planning to put ssh keys on login nodes only and use the
PAM module to control access to compute nodes. Will such a setup work? Or
is it necessary for PAM to work to have the ssh keys on the compute nodes
as well? I'm sorry but this is not clearly mentioned on any
documentation...
Durai
Zentrum für Datenverarbeitung
Tübingen
On Wed, Jun 10, 2020 at 7:45 PM Prentice Bisbal <pbisbal at pppl.gov> wrote:
> Gladly! User based security means that you need to enter a user password
> or something similar like kerberos keys or SSH keys to authenticate with
> a different hosts. In every place I've worked, passwordless ssh keys
> were forbidden, so even if using SSH keys, that ssh key would need to be
> unlocked with with the password the first time it's used. In this
> scenario, if a user account is compromised on one system, the damage is
> limited to that system.
>
> With host-based security, all the hosts in the trusted group allow users
> to go from one machine to the other without using a password. In this
> case, if a user account is compromised on one system, then that user
> account now compromised on *every* system in the trusted group.
>
> Does that make sense?
>
> There's a reason why host-based authentication is not the default
> behavior in SSH.
>
> Prentice
>
> On 6/9/20 3:34 PM, Ole Holm Nielsen wrote:
> > Hi Prentice,
> >
> > Could you kindly elaborate on this statement? Is host-based security
> > safe inside a compute cluster compared to user-based SSH keys?
> >
> > Thanks,
> > Ole
> >
> >
> > On 09-06-2020 21:26, Prentice Bisbal wrote:
> >> Host-based security is not considered as safe as user-based security,
> >> so should only be used in special cases.
> >>
> >> On 6/9/20 11:45 AM, Michael Jennings wrote:
> >>> On Tuesday, 09 June 2020, at 12:43:34 (+0200),
> >>> Ole Holm Nielsen wrote:
> >>>
> >>>> in which case you need to set up SSH authorized_keys files for such
> >>>> users.
> >>> I'll admit that I didn't know about this until I came to LANL, but
> >>> there's actually a much better alternative than having to create user
> >>> key pairs and manage users' ~/.ssh/authorized_keys files: Host-based
> >>> Authentication.
> >>>
> >>> Setting "HostbasedAuthentication yes" and configuring it properly on
> >>> all the cluster hosts allows a cryptographically-secured equivalent of
> >>> what used to be known as RHosts-style Authentication using ~/.rhosts
> >>> and /etc/hosts.equiv. Essentially, it allows host-key-authenticated
> >>> systems to recognize each other, and once that completes successfully,
> >>> the target host trusts the source host to accurately introduce the
> >>> user who's logging in.
> >>>
> >>> Once you have host-based authentication working, users can SSH around
> >>> inside your cluster seamlessly (subject to additional restrictions, of
> >>> course, like access.conf or pam_slurm_adopt) without needing hackish
> >>> extra utilities to create and manage cluster-specific passphraseless
> >>> key pairs for every single user! :-)
> >>>
> >>> There's a great cookbook online that tells you step-by-step how to set
> >>> it up:
> >>>
> https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication
> >>>
> >
> --
> Prentice Bisbal
> Lead Software Engineer
> Research Computing
> Princeton Plasma Physics Laboratory
> http://www.pppl.gov
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20200616/92052b16/attachment-0001.htm>
More information about the slurm-users
mailing list