[Beowulf] SSH without login in nodes

Kilian CAVALOTTI kilian at stanford.edu
Sat May 5 09:24:37 PDT 2007

On Friday 04 May 2007 21:42:58 Chris Samuel wrote:
> We use a very ugly hack (this was already in place when I arrived) which
> has been very effective over the past few years at doing that and
> doesn't prevent people using SSH based MPI launchers (though we don't
> recommend them being used).
> Basically it's just the following in /etc/profile on our compute nodes.
> if echo $HOSTNAME | egrep -q '^node' ; then
>    if [ ! $PBS_ENVIRONMENT ];
>        then if [ $USER != "root" ];
>            then if [ "$GROUP" != "systems" ];
>                   then exit;
>            fi;
>        fi;
>    fi;
> fi;
> How's that ?

Not that ugly, actually. But what if users do a 
ssh node -t "bash --noprofile"? ;)

To handle of SSH based MPI launchers, we've disabled user logins from our 
frontend node to the compute nodes, but allowed them between compute 
nodes. So that the scheduler takes care of dispatching the initial process 
on a first node (no SSH involved), and then SSH connections can be used to 
dispatch the MPI daemons on the other nodes, from the initial one.


More information about the Beowulf mailing list