[Beowulf] CLuster - Mpich - tstmachines - Heeelp !!!!!!!!
gdjacobs at gmail.com
Wed Jul 19 22:56:20 EDT 2006
Robert G. Brown wrote:
> I'm waiting with great interest to see if "keyrings" make any
> difference. In principle they protect your plaintext keys, but of course
> that is at the expense of having to type a password to get at them.
> Which in turn means that when somebody gets your account they get them.
I was just thinking, the problem may be worse than we are stating, even
if you are running ssh.
> The problem with stuff like rsh is that it can't be patched -- it is
> insecure by design. rsh patched to be secure is called ssh. ssh
> possibly is overprotective -- I personally miss the days when one could
> configure it to run without data encryption (relying on the
> point-to-point switch and protection of promiscuous mode access at the
> endpoints) and use it only for host/user auth -- but with rsh used
> passwordless in a cluster, anybody with a laptop and access to a LAN
> port can almost certainly get into any user account. Including yours,
> making it fairly simple for them to boost to root...
I suspect that a person could go to root on an arbitrary node with a
carefully crafted faux packet stating they have a uid of 0.
> Due diligence for a root-entrusted person is a state that strongly
> resembles raving paranoia combined with the speak not of that which
> should not be spoken of rules of a priest of physician.
Sort of like someone running a chain of 7/11s, except stocking cocaine
on the shelves.
How many howtos recommend exporting home directories via NFS? Or images
of home directories via TFTP? In both cases, you're going to have
private keys transmitted in the clear. The only security left would be
the password encrypting your private key.
Geoffrey D. Jacobs
Go to the Chinese Restaurant,
Order the Special
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
More information about the Beowulf