[slurm-users] ssh-keys on compute nodes?

Brian Andrus toomuchit at gmail.com
Fri Jun 19 14:27:05 UTC 2020 

Nice write-up Ole!

I especially like the statement (emphasis added):

For security reasons it is strongly recommended*not*to include the Slurm 
serversslurmctld <http://slurm.schedmd.com/slurmctld.html>andslurmdbd 
<http://slurm.schedmd.com/slurmdbd.html>hosts in 
theHost-based_Authentication 
<https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication>because 
/*normal users have no business on those servers!*/

Brian Andrus


On 6/17/2020 1:26 AM, Ole Holm Nielsen wrote:
> On 6/9/20 5:45 PM, Michael Jennings wrote:
>> On Tuesday, 09 June 2020, at 12:43:34 (+0200),
>> Ole Holm Nielsen wrote:
>>
>>> in which case you need to set up SSH authorized_keys files for such
>>> users.
>>
>> I'll admit that I didn't know about this until I came to LANL, but
>> there's actually a much better alternative than having to create user
>> key pairs and manage users' ~/.ssh/authorized_keys files: Host-based
>> Authentication.
>>
>> Setting "HostbasedAuthentication yes" and configuring it properly on
>> all the cluster hosts allows a cryptographically-secured equivalent of
>> what used to be known as RHosts-style Authentication using ~/.rhosts
>> and /etc/hosts.equiv.  Essentially, it allows host-key-authenticated
>> systems to recognize each other, and once that completes successfully,
>> the target host trusts the source host to accurately introduce the
>> user who's logging in.
>>
>> Once you have host-based authentication working, users can SSH around
>> inside your cluster seamlessly (subject to additional restrictions, of
>> course, like access.conf or pam_slurm_adopt) without needing hackish
>> extra utilities to create and manage cluster-specific passphraseless
>> key pairs for every single user! :-)
>
> The host-based SSH authentication is a good idea, but only inside the 
> cluster's security perimeter, and one should not trust computers 
> external to the cluster nodes in this way.
>
> I was looking at the OpenSSH documentation and the cookbooks on the 
> net for configuring host-based SSH authentication.  The information 
> can be a little imprecise, so after a good deal of testing I've 
> written a new section in my Wiki page for Slurm on CentOS 7 systems:
>
> https://wiki.fysik.dtu.dk/niflheim/SLURM#ssh-keys-for-password-less-access-to-cluster-nodes 
>
>
> This also includes ways to gather SSH public keys from the cluster nodes.
>
> Comments are welcome.
>
> Best regards,
> Ole
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.schedmd.com/pipermail/slurm-users/attachments/20200619/0fbf5e05/attachment.htm>

More information about the slurm-users mailing list