[Beowulf] Intra-cluster security

Joe Landman landman at scalableinformatics.com
Sun Sep 13 07:06:40 PDT 2009


I started writing a long response to this, decrying security theatre in 
the face of real issues, but thought better of it.  Much shorter version 
with free advice.

Leif Nixon wrote:
> Stuart Barkley <stuartb at 4gh.net> writes:
> 
>> - Kerberos with ssh works fine for interactive users, but doesn't seem
>> to translate well to a queuing environment.  Or am I missing
>> something?
> 
> It's quite possible to use, but you do get a ticket expiry problem.
> 
>> - Each user creates a password-less ssh private key, puts the public
>> key in the authorized_hosts file and has relatively unfettered ssh
>> access between nodes (nfs shared home directory helps a lot).  This
>> seems to be the most common approach.
> 
> Yes, this is common. And a really, really BAD IDEA. Do not do this. Bad,
> bad, BAD.
> 
>> I consider it dangerous to encourage use of password-less ssh keys.
> 
> Yes, very much so. And your users will discover that they can copy that
> passphrase-less private key to their personal workstation and get
> password-less access to the cluster. (Yes, they will.) And then the key
> will get stolen. (Yes, it will.) And then you get
> 
>   http://www.us-cert.gov/current/archive/2008/09/08/archive.html#ssh_key_based_attacks

I won't fisk this, other than to note most of the exploits we have 
cleaned up for our customers, have been windows based attack vectors. 
Contrary to the implication here, the ssh-key attack vector, while a 
risk, isn't nearly as dangerous as others, in active use, out there.

http://www.darknet.org.uk/2008/08/puttyhijack-v10-hijack-sshputty-connections-on-windows/

Real security is security in depth.  Its understanding real risks, and 
mitigating the same, or making the downside of the compromise as small 
as possible.  Leif had a suggestion further down about careful 
management of keys, that is eminently reasonable.  You don't leave your 
house keys under the door mat, if you care about security that is.  Same 
principle applies here.

Fake security, aka security theatre (c.f. 
http://en.wikipedia.org/wiki/Security_theater ) are things you get when 
people want to seem like they are doing something, even if the thing 
doesn't help, or worse, gives you a false sense of security.  See every 
anti-virus/anti-phishing package out there for windows.  If you think 
you are safe because you are running them, you are sadly mistaken.

I'd argue that security theatre is more dangerous than the real threats. 
  Threats can be mitigated.  The danger is in using theatrics and 
pronouncements rather than practical measures.

As John Hearns pointed out, hard on the outside soft on the inside. 
Doesn't help with clouds, though you can do IPsec to IPsec bridging of 
virtual private clusters (we do this for our customers).

Assume multiple attack vectors, and that the bad guys and gals are going 
for your weak links.  You need a realistic assessment of what your weak 
links are, they will be exploited.  Most IT managers are fearful of this 
conversation, many are patently in denial about it.  Regardless, the 
successful attacks we have seen and cleaned up after all came from 
*inside* organizations.  Where they have been thwarted, has been due to 
other good practices.  Where they have been successful, they have had 
success due to very very bad practices.


-- 
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: landman at scalableinformatics.com
web  : http://scalableinformatics.com
        http://scalableinformatics.com/jackrabbit
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615



More information about the Beowulf mailing list