[Beowulf] passwordless "rsh" login

Andrew M.A. Cater amacater at galactic.demon.co.uk
Sat Jul 10 01:49:07 PDT 2004


On Fri, Jul 09, 2004 at 01:43:51PM -0400, Robert G. Brown wrote:
> On Thu, 8 Jul 2004, Daniel Pfenniger wrote:
> > 
> > Andrew M.A. Cater wrote:
> > > _Don't_ use rsh :) Use ssh with key exchange and passwordless login.

rgb has probably said it better than I can :)
> > What is wrong with rsh, what is much better with ssh?
> > A few words explanation would help.
> 
> 
>  a) no security (as in "bleeding wound" in an open network)
Not such a problem if you _really are_ a secure network: really secure
networks ban rsh/rlogin completely :)
>  b) no environment passing
>  c) no tunnelling/port forwarding
>  d) no intrinsic X11 support
These three are the kickers - passing the environment is good, being
able to pass X when needed and not have to worry about setting displays
etc. is even better. Being able to see your head node display when you're 
sat in front of a faulty node is potentially good :)
> 
> Things good about ssh:
> 
>  a) strong security
>  e) strong host authentication
>  f) strong personal authentication
It makes a difference: set up keys ONCE, you may get a prompt saying
effectively "You've not connected here before, do you trust me" the
first time you connect to a node but thereafter you're in practically
forever. 
> > On the other hand ssh may slow communications for particular usages
> > (such as a constant stream of console messages through the network).
> 
> In most cases your intrinsic limitation is going to be the speed of a
> pseudo tty interface, not ssh.  Simply writing to an xterm/console
> window is slow -- almost certainly MUCH slower than the speed with which
> ssh can encrypt/decrypt data.
ACK
> 
> Of course for real parallel operations, one doesn't use ssh (or any
> shell) to do real internode communications -- at most it is for out of
> band control operations like starting up pvm or mpi itself on remote
> nodes.  Or one writes a nice raw socket interface, or whatever.  ssh is
> fine for typical remote/interactive use on a cluster.
ACK
> 
> > ssh is particularly recommended on an untrusted network, but then
> > I would like once to see an *easy* procedure for installing ssh safely
> > by the sys admin passwordless login for all the network trusted users.
> 
> I don't think that this would be terribly difficult, although easy is a
> matter of personal perspective.  Look into ssh-agent(1) and ssh-add(1).
> I've never used them, but this looks like what they might be for.
> 
ssh-copy-id does this nicely on a Debian system. It's only a script as 
far as I can see.

Andy



More information about the Beowulf mailing list