[Beowulf] Authentication within beowulf clusters.
Robert G. Brown
rgb at phy.duke.edu
Sat Jan 31 10:25:58 EST 2004
On Fri, 30 Jan 2004, Daniel Widyono wrote:
> We have one form of authentication (based on University standards) to login
> to the head node.
> We use our own system for authenticating within the internal network (which
> is only used by the cluster). We distribute /etc/passwd for account
> information via cron (and via useradd and userdel wrappers). We update an
> authentication token on each node as it becomes assigned to a user by the
> scheduling system. Ssh checks this authentication token (via PAM module)
> before executing on a node, and Bproc uses an ownership database on the
> server side.
> > My question is this, how does everyone handle authentication?
> > Do you run standalone ldap or nis services on the master/management node
> > of their beowulf clusters?
NIS works fine for many purposes as well, but be warned -- in certain
configurations and for certain tasks it becomes a very high overhead
protocol. In particular, it adds an NIS hit to every file stat, for
example, so that it can check groups and permissions. I think it was
Greg who pointed out many moons ago that there are was around this
(IIRC, making every node an NIS slave so that the hit is local?). NIS
also at one point in time was a bleeding wound as far as security is
concerned. How fondly I remember reaching out across campus and grabbing
the encrypted passwd's of whole departments with a simple userspace tool
to feed into crack and grab the passwords of the five silly beanies who
used something like "password" for their password. Or using tftp to
accomplish the same thing on systems configured out of the box to
(Shame on you! I wasn't really cracking, I was a white hat checking the
nets in question with permission...:-)
Even though they've largely fixed it, I believe NIS remains susceptible
to a vast range of attacks -- snooping (sending stuff in cleartext where
it can be read by anyone on a shared line), spoofing (a host is known by
IP number only) and more. So I'd strongly urge using it only inside a
firewall on a trusted LAN space. I suspect LDAP has the same issues,
but we've never used it so I'm not certain. Kerberos is a lot better
for this sort of thing, especially if the cluster you're talking about
is a "public cluster" to be accessed from a WAN or a large LAN with
multiple internal LAN boundaries (e.g. department LANs) of varying
degrees of trust and quality of administration.
It's also fairly straightforward to use e.g. rsync to keep passwd,
groups, shadow in sync across a cluster, but one does have the problem
of propagating a passwd change, which NIS manages for you transparently.
Robert G. Brown http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb at phy.duke.edu
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
More information about the Beowulf