Creating user accounts....

Nicholas Henke henken at seas.upenn.edu
Fri Feb 14 12:14:39 EST 2003


On Fri, 14 Feb 2003 12:02:04 -0500 (EST)
"Robert G. Brown" <rgb at phy.duke.edu> wrote:

> What do you mean by host based?  Host KEYPAIR based, or .rhosts,
> /etc/hosts.equiv type authentication?

Yeah -- I guess shosts.equiv in this case.
> 
> The latter kind of authentication is an open invitation to cracking. 
> My very first cracking experience (way back in the 80's) was a Duke
> grad student in CPS who cracked the CS department via a hole in emacs,
> su'd to me, and .rhosted into physics.  To bad I logged in at the same
> time and happened to notice...
> 
> It is easy to spoof, easy to fool.

OK -- didn't know that. We are only using it here for the cluster nodes
from the cluster head node, in addition to the following in
/etc/pam.d/ssh:
account    required    /lib/security/pam_listfile.so
file=/etc/cm_sshauth onerr=fail sense=allow item=user

Which denies all users unless their username is in /etc/cm_sshauth.

Now -- the $3.50 question is if this is still insecure ?

> 
> Personal keypair based ensures bidirectional encryption and
> authentication at the personal level, in ADDITION to host based (at
> the level of the ssh public/private keys).
> 
Cool -- thanks for the pointer. We are using the hostbased, as our users
tend to screw up the keys, as most of them have several keys from
different systems just to get into the cluster. ..Yeah I use keychain
and ssh-agent, but they are not, and I remember your quote about users,
documentation, and a certain effect of urination and hurricanes :)

Nic
-- 
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list