[Beowulf] CLuster - Mpich - tstmachines - Heeelp !!!!!!!!

hahn at physics.mcmaster.ca hahn at physics.mcmaster.ca
Wed Jul 19 06:17:54 EDT 2006

>>> unless you really want to run programs as root, I wouldn't recommend
>>> to allow root login at all with ssh. Better is to have to login as a
>>> user first, and then su to root.
>> I disagree with this, actually.  first, "su root" is almost always the
>> worst thing to do, since it requires that you have an easy-to-type
>> password for root, and that you quite possibly type it frequently.
>> using an SSH identity for logging in directly as root is surely more
>> secure.  that's my preferred technique - I run ssh-agent
>> so almost never type any password.
> Using passworded ssh key authentication is, I believe, the most secure
> remote login setup.

I think you mean passphrase-encrypted key - yes, that's what I meant.
un-passphrase'd keys would be equivalent in crypto-strength, but anyone 
who managed to get a hold of the private key would have complete access.

> The usage schema of sudo is inherently safer -- increase privilege for
> one task only, then go back to SOP. Control is also more granular, so it
> is more secure.

the more often as password is typed, the less secure it is.

>> right - I don't have a problem with rsh as an internal cluster spawn
>> method.
>> though since you almost certainly also have sshd running, it makes sense
>> to have fewer daemons.
> It's okay for a small cluster where you have really good control over
> the users.

I understand why you would say this, but I don't think it's true:
regardless of the size of the cluster or randomness of the user 
community, once someone gets root, they get everything.  I don't see
why the number of nodes would make any difference (since they're 
probably all running the same distro, therefore have the same holes).
and I'm not sure the use-base matters either, except that more users
mean more chances someone will go grey some weekend, or get compromised.
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

More information about the Beowulf mailing list