[Beowulf] CLuster - Mpich - tstmachines - Heeelp !!!!!!!!

Robert G. Brown rgb at phy.duke.edu
Sat Jul 29 21:23:34 PDT 2006


On Fri, 28 Jul 2006, Leif Nixon wrote:

> Geoff Jacobs <gdjacobs at gmail.com> writes:
>
>> hahn at physics.mcmaster.ca wrote:
>>> right - I don't have a problem with rsh as an internal cluster spawn
>>> method.
>>> though since you almost certainly also have sshd running, it makes sense
>>> to have fewer daemons.
>> It's okay for a small cluster where you have really good control over
>> the users.
>
> Now, THAT'S a very dangerous mindset. Even if you can be 100% sure
> there are no bad apples among your users, every single HPC related

...and you can't.  Or at least if you are sure, eventually you'll be
sure -- and wrong.  I'm personally familiar with several cases of trust
abused, and a couple more where a user turned out to be mentally ill
(seriously).  As in not responsible for their actions, and off the deep
end paranoid about what others might be saying about them.

Times like that, you'll be very glad that you have sshd running, strong
passwords that aren't posted on a bulletin board in the server room in
plain sight, and have exercised what I'd call purely "professional good
judgement" in the way the system was configured to protect the rights
and privacy of all users.

ssh is totally inobtrusive (compared to rsh), adds useful features
missing from rsh, adds an irrelevant bit of overhead (irrelevant for
nearly all applications, at any rate) and closes just about all possible
plaintext snooping, id thieving loopholes that were exploited for years
with rsh.  Running it inside a scyld-type beowulf, where the cluster has
no private data, where the cluster is "a computer", where you cannot
login to a node with or without rsh, maybe that's ok.  Running it where
there is any chance that abuse could result in compromising a user's
account, well, it is your job to make that impossible.  Period.  If you
don't, it will be your fault, not just your responsibility, when it
sooner or later happens.

> intrusion I'm aware of the last couple of years has started off by
> stealing passwords or keys and masquerading as legitimate users.

Not just the last couple of years.  Try the last couple of decades.  Or
maybe even three (how old IS unix, anyway)?

      rgb


-- 
Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu





More information about the Beowulf mailing list