[Beowulf] Intra-cluster security

Reuti reuti at Staff.Uni-Marburg.DE
Sun Sep 13 11:03:37 EDT 2009


Am 13.09.2009 um 12:31 schrieb Leif Nixon:

> <snip>
> This is the way to go. All our systems are set up this way. Works just
> fine. You just need a mechanism for maintaining host keys and
> ssh_known_hosts. (And remember that this doesn't work for root - you
> need separately set up ~root/.shosts and ~root/.ssh/known_hosts if you
> want it.)
>
> Oh, and DO NOT USE PASSPHRASE-LESS PRIVATE KEYS!
>
> Do the Internet a service and scan your users' home directories for
> passphrase-less private ssh keys. This is as easy as running
>
>   # grep -L ENCRYPTED /home/*/.ssh/id_?sa
>
> Delete all such keys that don't have a good reason for existence.  
> (Yes,
> we do so on all our systems.)

I agree. And to have it still convenient between multiple clusters I  
guide my students to use just one passphrase protected key and an ssh- 
agent in additions. There is nice Howto about it:

http://unixwiz.net/techtips/ssh-agent-forwarding.html

But: even with a passphrase the ssh-key should be protected as much  
as possible. Once someone has the private key, any offline brute- 
force to get the passphrase won't take long I fear. They could just  
try to recreate the public part of the key with: ssh-keygen -y which  
is completely offline, as this will also need the passphrase to be  
entered.

-- Reuti
_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list