On Tuesday, 09 June 2020, at 12:43:34 (+0200), Ole Holm Nielsen wrote: > in which case you need to set up SSH authorized_keys files for such > users.
I'll admit that I didn't know about this until I came to LANL, but there's actually a much better alternative than having to create user key pairs and manage users' ~/.ssh/authorized_keys files: Host-based Authentication. Setting "HostbasedAuthentication yes" and configuring it properly on all the cluster hosts allows a cryptographically-secured equivalent of what used to be known as RHosts-style Authentication using ~/.rhosts and /etc/hosts.equiv. Essentially, it allows host-key-authenticated systems to recognize each other, and once that completes successfully, the target host trusts the source host to accurately introduce the user who's logging in. Once you have host-based authentication working, users can SSH around inside your cluster seamlessly (subject to additional restrictions, of course, like access.conf or pam_slurm_adopt) without needing hackish extra utilities to create and manage cluster-specific passphraseless key pairs for every single user! :-) There's a great cookbook online that tells you step-by-step how to set it up: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication HTH! Michael -- Michael E. Jennings <m...@lanl.gov> HPC Systems Team, Los Alamos National Laboratory Bldg. 03-2327, Rm. 2341 W: +1 (505) 606-0605