[Beowulf] CLuster - Mpich - tstmachines - Heeelp !!!!!!!!

hahn at physics.mcmaster.ca hahn at physics.mcmaster.ca
Tue Jul 18 19:09:45 PDT 2006


> unless you really want to run programs as root, I wouldn't recommend to allow 
> root login at all with ssh. Better is to have to login as a user first, and 
> then su to root.

I disagree with this, actually.  first, "su root" is almost always 
the worst thing to do, since it requires that you have an easy-to-type
password for root, and that you quite possibly type it frequently.
using an SSH identity for logging in directly as root is surely 
more secure.  that's my preferred technique - I run ssh-agent
so almost never type any password.

but even if you don't like that, surely sudo is better than "su root",
though it does mean the onus of difficulty falls to your password.
(and for multiple admins, it means that root effectively has a 
password hardness N times lower than the admin user passwords...)
the logging performed by sudo is, IMO, of marginal value - it means 
that someone spends time reading it, and while it's an OK audit trail
for figuring out what happened, it's of no value forensically
(since any serious attacker will compromise syslog.)

> If you use rsh, you also don't need any passwordless ssh login. After putting 
> all the nodes in all /etc/hosts.equiv the rsh should allow already a 
> passwordless login to the nodes. With setting P4_RSHCOMMAND, it will target 
> compiled programs.

right - I don't have a problem with rsh as an internal cluster spawn method.
though since you almost certainly also have sshd running, it makes sense to 
have fewer daemons.

regards, mark hahn.



More information about the Beowulf mailing list