[Beowulf] Intra-cluster security

Stuart Barkley stuartb at 4gh.net
Fri Sep 11 15:39:48 EDT 2009


We are working with a couple small clusters (6-8 nodes) and will soon
be working with some much larger cluster/supercomputer systems.  We
are currently using SGE 6.2 for job queuing.  We use kerberos for
authentication and ssh for system access.

What are peoples thoughts about secure communications between the
nodes of a cluster?  I see a cluster as a single computational
resource and would like to see flexibility of communications between
the nodes of the cluster.

There seem to be a couple of approaches:

- Old style rsh/rlogin.  Not acceptable for me.

- Kerberos with ssh works fine for interactive users, but doesn't seem
to translate well to a queuing environment.  Or am I missing
something?

- Each user creates a password-less ssh private key, puts the public
key in the authorized_hosts file and has relatively unfettered ssh
access between nodes (nfs shared home directory helps a lot).  This
seems to be the most common approach.  It is end-user setup/training
intensive (I suppose it could be automated/audited). I consider it
dangerous to encourage use of password-less ssh keys.

- It looks like SGE has some new functionality for using certificates
and its own certificate authority.  I haven't looked closely at this
yet.  It looks like each user has a password-less private certificate
and the authorization comes from not having the certificate revoked.
This seems almost equivalent to the password-less ssh key solution.

- It looks like I can configure the cluster systems to handle local
ssh transparently.  This would involve setting setuid/setgid on ssh,
building cluster wide authorized_keys files and other things.  I
haven't studied this closely but there are a few references available
(http://www.snailbook.com/faq/trusted-host-howto.auto.html among
others).

I favor this last solution as being the most user transparent.  I find
is surprising that none of the cluster distributions seem to use this
method.  I would like some feedback as to how well this works in
practice and whether there are any obvious or non-obvious gotchas
people might have already encountered.

Thanks,
Stuart Barkley
-- 
I've never been lost; I was once bewildered for three days, but never lost!
                                        --  Daniel Boone

_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list