node accounts
Martin Siegert
siegert at sfu.ca
Tue Sep 12 14:16:22 PDT 2000
Hi all,
On Tue, 12 Sep 2000, Peter Jay Salzman wrote:
> currently, when i change passwords, i have to go through this huge
> rigamarole of creating a local passwd/shadow and rdisting it to all the
> nodes.
>
> needless to say, this is a huge waste of time and more complex than it ought
> to be.
>
> i was thinking of using NIS on the nodes. the NIS HOWTO mentions that using
> NIS with shadow is a big security risk since you lose the security of shadow
> passwords. however, we're not too concerned with security among the nodes
> because the front end acts as a firewall:
>
> /
> --net---- front end ---- nodes
> \
>
> and we've gotten rid of telnetd/ftpd/httpd on the front end, and implemented
> very restrictive tcp wrappers. basically, only a few selected hosts are
> allowed to do anything with the front end. we only use ssh to go in/out to
> the front end.
>
> so here are my questions:
> 1- how do other beowulf admins manage accounts on nodes? do other people
> use NIS? is there an alternative?
> 2- using NIS, can i share other useful files like /etc/group or the lamhosts
> file?
>
> this is on a beowulf on x86 architecture running linux.
Why do you want to run NIS? I believe that this is an unnecessary security
risk. If your nodes are on a private network, then there is a very simple
solution:
Allow logins from the outside world only to the master node (no ip-forwarding).
Then allow rsh without passwords to the internal nodes by listing all nodes
in /etc/hosts.equiv. Put "ALL : ALL" into /etc/hosts.deny on the master
and list the internal nodes in /etc/hosts.allow besides everything else
you want to allow on the master (you definitely don't want to allow rsh
from the outside there; I only allow connections to sshd in hosts.allow
from the outside).
Then everytime you create a new account you rdist /etc/passwd, /etc/shadow,
and /etc/group over the cluster.
Then you "chmod 500 /usr/bin/passwd" on the internal nodes and tell your
users that they can change their password on the master only.
Then there is no need to periodically update /etc/shadow on the internal
nodes everytime somebody changes a user password, since no program is
ever going to look at /etc/shadow on the internal nodes.
This requires that a user who wants to login to an internal node must
login to the master first, but that isn't really a disadvantage because
passwords don't have to be typed again. Furthermore, from a sysadmin's
point of view, this has the huge advantage that you only have to
secure the master node which makes your life quite a bit easier.
Cheers,
Martin
========================================================================
Martin Siegert
Academic Computing Services phone: (604) 291-4691
Simon Fraser University fax: (604) 291-4242
Burnaby, British Columbia email: siegert at sfu.ca
Canada V5A 1S6
========================================================================
More information about the Beowulf
mailing list