[Beowulf] CLuster - Mpich - tstmachines - Heeelp !!!!!!!!
gdjacobs at gmail.com
Wed Jul 19 01:56:23 EDT 2006
hahn at physics.mcmaster.ca wrote:
>> unless you really want to run programs as root, I wouldn't recommend
>> to allow root login at all with ssh. Better is to have to login as a
>> user first, and then su to root.
> I disagree with this, actually. first, "su root" is almost always the
> worst thing to do, since it requires that you have an easy-to-type
> password for root, and that you quite possibly type it frequently.
> using an SSH identity for logging in directly as root is surely more
> secure. that's my preferred technique - I run ssh-agent
> so almost never type any password.
Using passworded ssh key authentication is, I believe, the most secure
remote login setup. Secure enough that I expect one could reduce the
length of the password to something reasonable (but still not brute
> but even if you don't like that, surely sudo is better than "su root",
> though it does mean the onus of difficulty falls to your password.
> (and for multiple admins, it means that root effectively has a password
> hardness N times lower than the admin user passwords...)
> the logging performed by sudo is, IMO, of marginal value - it means that
> someone spends time reading it, and while it's an OK audit trail
> for figuring out what happened, it's of no value forensically
> (since any serious attacker will compromise syslog.)
The usage schema of sudo is inherently safer -- increase privilege for
one task only, then go back to SOP. Control is also more granular, so it
is more secure.
>> If you use rsh, you also don't need any passwordless ssh login. After
>> putting all the nodes in all /etc/hosts.equiv the rsh should allow
>> already a passwordless login to the nodes. With setting P4_RSHCOMMAND,
>> it will target compiled programs.
> right - I don't have a problem with rsh as an internal cluster spawn
> though since you almost certainly also have sshd running, it makes sense
> to have fewer daemons.
It's okay for a small cluster where you have really good control over
the users. I don't think there's a point to it anymore, though. No real
performance advantage, and it's not any more simple to configure.
> regards, mark hahn.
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit
Geoffrey D. Jacobs
Go to the Chinese Restaurant,
Order the Special
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
More information about the Beowulf