[Beowulf] Newbie

Leif Nixon nixon at nsc.liu.se
Thu Jan 5 10:49:41 PST 2006

Dan Stromberg <strombrg at dcs.nac.uci.edu> writes:

> Are those host keys used in any way to verify which user is making the
> request though?

You use it to verify the identity of the remote host, and to verify
that the access is made by a process with root privileges on the
remote host. (The ssh client is either installed suid root, or uses a
small suid helper program, the name of which escapes me at the moment,
to access the private host key.) Since you have decided to trust the
host, that's enough.

>> I'm not following you here either. Whether you choose the "give all
>> users passphrase-less keys" route or the host-based auth route, you're
>> *equally* screwed if a bad guy gets root. He can su to any user and
>> ssh away to his delight. (Given a standard NFS setup.)
> It's not a choice between "all users have passphraseless keys" and "host
> based auth".

Well, the discussion started out with those alternatives.

> It's a choice between "some users have passphraseless keys", "some users
> have keys with passphrases with an ssh-agent", "some users have keys
> with passphrases without an ssh-agent", and "some users rely on host
> based auth".

Users can't choose to rely on host based auth; that's a server admin
decision. Apart from that, you often can't use passphrase protected
keys in a cluster environment; for example, take parallel Gaussian
jobs. The user submits a job to the batch queue. At some point in
time, the job will start on a one of the nodes allocated to the job.
This master process will use a small utility program to ssh to the
other allocated nodes and start computation processes on them. The
user isn't around to type any passphrases at this point, and you don't
have a channel to his ssh agent either. You're kind of stuck with
either passphraseless keys (bad!) or host based auth.

> I'm guessing that in the scenarios that use user-specific keys, the host
> key will also be checked.

Only in the usual way, i.e. the client checks the *server's* host key
against its known_hosts file. As far as I know.

Leif Nixon                       -            Systems expert
National Supercomputer Centre    -      Linkoping University

More information about the Beowulf mailing list