[Beowulf] CLuster - Mpich - tstmachines - Heeelp !!!!!!!!
Geoff Jacobs
gdjacobs at gmail.com
Tue Jul 18 22:56:23 PDT 2006
hahn at physics.mcmaster.ca wrote:
>> unless you really want to run programs as root, I wouldn't recommend
>> to allow root login at all with ssh. Better is to have to login as a
>> user first, and then su to root.
>
> I disagree with this, actually. first, "su root" is almost always the
> worst thing to do, since it requires that you have an easy-to-type
> password for root, and that you quite possibly type it frequently.
> using an SSH identity for logging in directly as root is surely more
> secure. that's my preferred technique - I run ssh-agent
> so almost never type any password.
Using passworded ssh key authentication is, I believe, the most secure
remote login setup. Secure enough that I expect one could reduce the
length of the password to something reasonable (but still not brute
forcible).
> but even if you don't like that, surely sudo is better than "su root",
> though it does mean the onus of difficulty falls to your password.
> (and for multiple admins, it means that root effectively has a password
> hardness N times lower than the admin user passwords...)
> the logging performed by sudo is, IMO, of marginal value - it means that
> someone spends time reading it, and while it's an OK audit trail
> for figuring out what happened, it's of no value forensically
> (since any serious attacker will compromise syslog.)
The usage schema of sudo is inherently safer -- increase privilege for
one task only, then go back to SOP. Control is also more granular, so it
is more secure.
>> If you use rsh, you also don't need any passwordless ssh login. After
>> putting all the nodes in all /etc/hosts.equiv the rsh should allow
>> already a passwordless login to the nodes. With setting P4_RSHCOMMAND,
>> it will target compiled programs.
>
> right - I don't have a problem with rsh as an internal cluster spawn
> method.
> though since you almost certainly also have sshd running, it makes sense
> to have fewer daemons.
It's okay for a small cluster where you have really good control over
the users. I don't think there's a point to it anymore, though. No real
performance advantage, and it's not any more simple to configure.
http://www.beowulf.org/archive/2004-November/011247.html
> regards, mark hahn.
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit
> http://www.beowulf.org/mailman/listinfo/beowulf
>
--
Geoffrey D. Jacobs
Go to the Chinese Restaurant,
Order the Special
More information about the Beowulf
mailing list