node accounts

Chris Greer cgreer1 at midsouth.rr.com
Tue Sep 12 16:40:19 PDT 2000


This problem isn't beowulf specific.  We ran into this with
107 UNIX servers.  The short answers we came up with.

NIS is OK, but you do have an overhead of account lookups which for
some beowulf applications, can cause performance impacts.  
Local password files are better to eliminate this problem.
Also, your nodes won't be at risk of an NIS server failure.  


Using rsync over ssh is a lot better solution for this case.  You
pick one of your nodes and call it the master.  You edit the password
in one place and push it to all the other nodes.  This can also be
slightly modified to have the clients pull the password and shadow
via ssh (using the keys to secure the transaction).

If this is scripted, it's essentially painless (assuming all of your
nodes have the exact smae password and shadow files).

Our situation was a bit more complex since our network isn't a beowulf
or the same platform.  We had to support different OS's (some have
shadow and some don't), and political groups because not everyone
has access to every server.

Below is a basic idea of a script to push /etc/passwd and /etc/shadow
to all host.  This hasn't been tested since I'm writing it in this
email.

You add users locally via adduser or whatever your preference and you
run the script and everyone looks the same.  This assumes you've already
setup ssh with keys which is beyond what I am going into here.

#!/bin/sh
HOST="	node01 \
	node02 \
	node03 \
	node04"
	
for i in $HOST
do
/usr/local/bin/rsync -avz -essh /etc/passwd $i:/etc/passwd
/usr/local/bin/rsync -avz -essh /etc/shadow $i:/etc/shadow
done




Peter Jay Salzman wrote:
> 
> dear beowulf mailing list,
> 
> currently, when i change passwords, i have to go through this huge
> rigamarole of creating a local passwd/shadow and rdisting it to all the
> nodes.
> 
> needless to say, this is a huge waste of time and more complex than it ought
> to be.
> 
> i was thinking of using NIS on the nodes.  the NIS HOWTO mentions that using
> NIS with shadow is a big security risk since you lose the security of shadow
> passwords.  however, we're not too concerned with security among the nodes
> because the front end acts as a firewall:
> 
>                          /
>   --net---- front end ----  nodes
>                          \
> 
> and we've gotten rid of telnetd/ftpd/httpd on the front end, and implemented
> very restrictive tcp wrappers.  basically, only a few selected hosts are
> allowed to do anything with the front end.   we only use ssh to go in/out to
> the front end.
> 
> so here are my questions:
> 1- how do other beowulf admins manage accounts on nodes?   do other people
>    use NIS?  is there an alternative?
> 2- using NIS, can i share other useful files like /etc/group or the lamhosts
>    file?
> 
> this is on a beowulf on x86 architecture running linux.
> 
> thanks!
> pete
> 
> _______________________________________________
> Beowulf mailing list
> Beowulf at beowulf.org
> http://www.beowulf.org/mailman/listinfo/beowulf




More information about the Beowulf mailing list