[Beowulf] passwordless "rsh" login

Robert G. Brown rgb at phy.duke.edu
Fri Jul 9 13:43:51 EDT 2004


On Thu, 8 Jul 2004, Daniel Pfenniger wrote:

> 
> 
> Andrew M.A. Cater wrote:
> > On Wed, Jul 07, 2004 at 01:20:43PM -0700, sandeep krishnan wrote:
> ....
> > _Don't_ use rsh :) Use ssh with key exchange and passwordless login.
> > There is a compatibility hack to make ssh behave exactly like rsh -
> > you might even get away just with linking ssh -> rsh :)
> ...
> 
> Please elaborate, I prefer rational arguments to orders.
> What is wrong with rsh, what is much better with ssh?
> A few words explanation would help.

If you search the list archives, I've written a few thousand words on
this three or four times.  Things wrong with rsh:

 a) no security (as in "bleeding wound" in an open network)
 b) no environment passing
 c) no tunnelling/port forwarding
 d) no intrinsic X11 support
 e) archaic and easily spoofed/snooped authentication mechanism (see a))
 f) terrible passwordless login control
 g) more or less frozen, unsupported code

Things good about rsh:

 h) relatively fast

Things good about ssh:

 a) strong security
 b) environment passing
 c) port tunnelling/forwarding
 d) intrinsic X11 support
 e) strong host authentication
 f) strong personal authentication
 g) bidirectional encryption, not easily snooped
 h) good passwordless login control
 i) currently being supported

Things bad about ssh:

 i) relatively slow
 j) cannot select "no encryption" as option even on secure networks
 k) evil tty disconnect "feature" that requires ~. escapes (nested yet)
to leave a job backgrounded from an ssh session.

In MOST cases the speed differential is simply not an important issue.
I personally might wish that i-k were different to make it easier to
achieve rsh-like use on secure networks and to be able to ssh host task
&, but the writers/maintainers are clearly more concerned with making it
difficult to impossible to defeat its intrinsic security features.

> As far as I understand, in an isolated cluster rsh works rather well,
> security is not necessarily an issue.
> On the other hand ssh may slow communications for particular usages
> (such as a constant stream of console messages through the network).

In most cases your intrinsic limitation is going to be the speed of a
pseudo tty interface, not ssh.  Simply writing to an xterm/console
window is slow -- almost certainly MUCH slower than the speed with which
ssh can encrypt/decrypt data.

Of course for real parallel operations, one doesn't use ssh (or any
shell) to do real internode communications -- at most it is for out of
band control operations like starting up pvm or mpi itself on remote
nodes.  Or one writes a nice raw socket interface, or whatever.  ssh is
fine for typical remote/interactive use on a cluster.

> ssh is particularly recommended on an untrusted network, but then
> I would like once to see an *easy* procedure for installing ssh safely
> by the sys admin passwordless login for all the network trusted users.

I don't think that this would be terribly difficult, although easy is a
matter of personal perspective.  Look into ssh-agent(1) and ssh-add(1).
I've never used them, but this looks like what they might be for.

   rgb

> 
> 	Dan
> 
> 
> 
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
> 

-- 
Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu



_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list