[Beowulf] Intra-cluster security
Joe Landman
landman at scalableinformatics.com
Sun Sep 13 07:06:40 PDT 2009
I started writing a long response to this, decrying security theatre in
the face of real issues, but thought better of it. Much shorter version
with free advice.
Leif Nixon wrote:
> Stuart Barkley <stuartb at 4gh.net> writes:
>
>> - Kerberos with ssh works fine for interactive users, but doesn't seem
>> to translate well to a queuing environment. Or am I missing
>> something?
>
> It's quite possible to use, but you do get a ticket expiry problem.
>
>> - Each user creates a password-less ssh private key, puts the public
>> key in the authorized_hosts file and has relatively unfettered ssh
>> access between nodes (nfs shared home directory helps a lot). This
>> seems to be the most common approach.
>
> Yes, this is common. And a really, really BAD IDEA. Do not do this. Bad,
> bad, BAD.
>
>> I consider it dangerous to encourage use of password-less ssh keys.
>
> Yes, very much so. And your users will discover that they can copy that
> passphrase-less private key to their personal workstation and get
> password-less access to the cluster. (Yes, they will.) And then the key
> will get stolen. (Yes, it will.) And then you get
>
> http://www.us-cert.gov/current/archive/2008/09/08/archive.html#ssh_key_based_attacks
I won't fisk this, other than to note most of the exploits we have
cleaned up for our customers, have been windows based attack vectors.
Contrary to the implication here, the ssh-key attack vector, while a
risk, isn't nearly as dangerous as others, in active use, out there.
http://www.darknet.org.uk/2008/08/puttyhijack-v10-hijack-sshputty-connections-on-windows/
Real security is security in depth. Its understanding real risks, and
mitigating the same, or making the downside of the compromise as small
as possible. Leif had a suggestion further down about careful
management of keys, that is eminently reasonable. You don't leave your
house keys under the door mat, if you care about security that is. Same
principle applies here.
Fake security, aka security theatre (c.f.
http://en.wikipedia.org/wiki/Security_theater ) are things you get when
people want to seem like they are doing something, even if the thing
doesn't help, or worse, gives you a false sense of security. See every
anti-virus/anti-phishing package out there for windows. If you think
you are safe because you are running them, you are sadly mistaken.
I'd argue that security theatre is more dangerous than the real threats.
Threats can be mitigated. The danger is in using theatrics and
pronouncements rather than practical measures.
As John Hearns pointed out, hard on the outside soft on the inside.
Doesn't help with clouds, though you can do IPsec to IPsec bridging of
virtual private clusters (we do this for our customers).
Assume multiple attack vectors, and that the bad guys and gals are going
for your weak links. You need a realistic assessment of what your weak
links are, they will be exploited. Most IT managers are fearful of this
conversation, many are patently in denial about it. Regardless, the
successful attacks we have seen and cleaned up after all came from
*inside* organizations. Where they have been thwarted, has been due to
other good practices. Where they have been successful, they have had
success due to very very bad practices.
--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: landman at scalableinformatics.com
web : http://scalableinformatics.com
http://scalableinformatics.com/jackrabbit
phone: +1 734 786 8423 x121
fax : +1 866 888 3112
cell : +1 734 612 4615
More information about the Beowulf
mailing list