[slurm-users] ssh-keys on compute nodes?
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Fri Jun 19 18:57:58 UTC 2020
On 19-06-2020 18:55, Mark Hahn wrote:
>> The host-based SSH authentication is a good idea, but only inside the
>> cluster's security perimeter, and one should not trust computers
>> external to the cluster nodes in this way.
>
> Even more than that! Hostbased allows you to define intersecting sets of
> asymmetric trust. For instance, usually symmetric trust among compute
> nodes,
> and they trust login nodes. But perhaps login nodes don't trust compute
> nodes, but do trust each other. And admin nodes don't trust anyone, but
> everyone trusts them. If you have "equivalent" clusters (same LDAP,
> etc), then you might want login nodes of different clusters to trust
> each other.
So how do you configure that? Let me guess that you configure
host-based SSH authentication on all nodes, but who trusts who is
configured in the /etc/ssh/shosts.equiv file? Do you have any
guidelines for how to configure such asymmetric trust?
> The big win is that you entirely avoid the presence of private keys on
> the cluster.
>
> We've used this widely in ComputeCanada since about 2003.
/Ole
More information about the slurm-users
mailing list