[slurm-users] ssh-keys on compute nodes?

Mark Hahn hahn at mcmaster.ca
Fri Jun 19 16:55:27 UTC 2020


> The host-based SSH authentication is a good idea, but only inside the 
> cluster's security perimeter, and one should not trust computers external to 
> the cluster nodes in this way.

Even more than that!  Hostbased allows you to define intersecting sets of
asymmetric trust.  For instance, usually symmetric trust among compute nodes,
and they trust login nodes.  But perhaps login nodes don't trust compute
nodes, but do trust each other.  And admin nodes don't trust anyone, 
but everyone trusts them.  If you have "equivalent" clusters (same LDAP,
etc), then you might want login nodes of different clusters to trust each other.

The big win is that you entirely avoid the presence of private keys on the cluster.

We've used this widely in ComputeCanada since about 2003.

regards, mark hahn.



More information about the slurm-users mailing list