Nice write-up Ole!
I especially like the statement (emphasis added):
For security reasons it is strongly recommended*not*to include the Slurm
serversslurmctld <http://slurm.schedmd.com/slurmctld.html>andslurmdbd
<http://slurm.schedmd.com/slurmdbd.html>hosts in
theHost-based_Authentication
<https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication>because
/*normal users have no business on those servers!*/
Brian Andrus
On 6/17/2020 1:26 AM, Ole Holm Nielsen wrote:
On 6/9/20 5:45 PM, Michael Jennings wrote:
On Tuesday, 09 June 2020, at 12:43:34 (+0200),
Ole Holm Nielsen wrote:
in which case you need to set up SSH authorized_keys files for such
users.
I'll admit that I didn't know about this until I came to LANL, but
there's actually a much better alternative than having to create user
key pairs and manage users' ~/.ssh/authorized_keys files: Host-based
Authentication.
Setting "HostbasedAuthentication yes" and configuring it properly on
all the cluster hosts allows a cryptographically-secured equivalent of
what used to be known as RHosts-style Authentication using ~/.rhosts
and /etc/hosts.equiv. Essentially, it allows host-key-authenticated
systems to recognize each other, and once that completes successfully,
the target host trusts the source host to accurately introduce the
user who's logging in.
Once you have host-based authentication working, users can SSH around
inside your cluster seamlessly (subject to additional restrictions, of
course, like access.conf or pam_slurm_adopt) without needing hackish
extra utilities to create and manage cluster-specific passphraseless
key pairs for every single user! :-)
The host-based SSH authentication is a good idea, but only inside the
cluster's security perimeter, and one should not trust computers
external to the cluster nodes in this way.
I was looking at the OpenSSH documentation and the cookbooks on the
net for configuring host-based SSH authentication. The information
can be a little imprecise, so after a good deal of testing I've
written a new section in my Wiki page for Slurm on CentOS 7 systems:
https://wiki.fysik.dtu.dk/niflheim/SLURM#ssh-keys-for-password-less-access-to-cluster-nodes
This also includes ways to gather SSH public keys from the cluster nodes.
Comments are welcome.
Best regards,
Ole
