[Beowulf] CLuster - Mpich - tstmachines - Heeelp !!!!!!!!

hahn at physics.mcmaster.ca hahn at physics.mcmaster.ca
Wed Jul 19 06:17:54 EDT 2006


>>> unless you really want to run programs as root, I wouldn't recommend
>>> to allow root login at all with ssh. Better is to have to login as a
>>> user first, and then su to root.
>>
>> I disagree with this, actually.  first, "su root" is almost always the
>> worst thing to do, since it requires that you have an easy-to-type
>> password for root, and that you quite possibly type it frequently.
>> using an SSH identity for logging in directly as root is surely more
>> secure.  that's my preferred technique - I run ssh-agent
>> so almost never type any password.
> Using passworded ssh key authentication is, I believe, the most secure
> remote login setup.

I think you mean passphrase-encrypted key - yes, that's what I meant.
un-passphrase'd keys would be equivalent in crypto-strength, but anyone 
who managed to get a hold of the private key would have complete access.

> The usage schema of sudo is inherently safer -- increase privilege for
> one task only, then go back to SOP. Control is also more granular, so it
> is more secure.

the more often as password is typed, the less secure it is.

>> right - I don't have a problem with rsh as an internal cluster spawn
>> method.
>> though since you almost certainly also have sshd running, it makes sense
>> to have fewer daemons.
> It's okay for a small cluster where you have really good control over
> the users.

I understand why you would say this, but I don't think it's true:
regardless of the size of the cluster or randomness of the user 
community, once someone gets root, they get everything.  I don't see
why the number of nodes would make any difference (since they're 
probably all running the same distro, therefore have the same holes).
and I'm not sure the use-base matters either, except that more users
mean more chances someone will go grey some weekend, or get compromised.
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list