node accounts

Martin Siegert siegert at sfu.ca
Tue Sep 12 14:16:22 PDT 2000 

Hi all,

On Tue, 12 Sep 2000, Peter Jay Salzman wrote:

> currently, when i change passwords, i have to go through this huge
> rigamarole of creating a local passwd/shadow and rdisting it to all the
> nodes.
> 
> needless to say, this is a huge waste of time and more complex than it ought
> to be.
> 
> i was thinking of using NIS on the nodes.  the NIS HOWTO mentions that using
> NIS with shadow is a big security risk since you lose the security of shadow
> passwords.  however, we're not too concerned with security among the nodes
> because the front end acts as a firewall:
> 
>                          /
>   --net---- front end ----  nodes
>                          \
> 
> and we've gotten rid of telnetd/ftpd/httpd on the front end, and implemented
> very restrictive tcp wrappers.  basically, only a few selected hosts are
> allowed to do anything with the front end.   we only use ssh to go in/out to
> the front end.
> 
> so here are my questions:
> 1- how do other beowulf admins manage accounts on nodes?   do other people
>    use NIS?  is there an alternative?
> 2- using NIS, can i share other useful files like /etc/group or the lamhosts
>    file?
> 
> this is on a beowulf on x86 architecture running linux.

Why do you want to run NIS? I believe that this is an unnecessary security
risk. If your nodes are on a private network, then there is a very simple
solution:
Allow logins from the outside world only to the master node (no ip-forwarding).
Then allow rsh without passwords to the internal nodes by listing all nodes
in /etc/hosts.equiv. Put "ALL : ALL" into /etc/hosts.deny on the master
and list the internal nodes in /etc/hosts.allow besides everything else
you want to allow on the master (you definitely don't want to allow rsh
from the outside there; I only allow connections to sshd in hosts.allow
from the outside).
Then everytime you create a new account you rdist /etc/passwd, /etc/shadow,
and /etc/group over the cluster.
Then you "chmod 500 /usr/bin/passwd" on the internal nodes and tell your
users that they can change their password on the master only. 
Then there is no need to periodically update /etc/shadow on the internal
nodes everytime somebody changes a user password, since no program is
ever going to look at /etc/shadow on the internal nodes.
This requires that a user who wants to login to an internal node must
login to the master first, but that isn't really a disadvantage because
passwords don't have to be typed again. Furthermore, from a sysadmin's
point of view, this has the huge advantage that you only have to
secure the master node which makes your life quite a bit easier.

Cheers,
Martin

========================================================================
Martin Siegert
Academic Computing Services                        phone: (604) 291-4691
Simon Fraser University                            fax:   (604) 291-4242
Burnaby, British Columbia                          email: siegert at sfu.ca
Canada  V5A 1S6
========================================================================

More information about the Beowulf mailing list