[Beowulf] Intra-cluster security

Reuti reuti at Staff.Uni-Marburg.DE
Sun Sep 13 08:03:37 PDT 2009

Am 13.09.2009 um 12:31 schrieb Leif Nixon:

> <snip>
> This is the way to go. All our systems are set up this way. Works just
> fine. You just need a mechanism for maintaining host keys and
> ssh_known_hosts. (And remember that this doesn't work for root - you
> need separately set up ~root/.shosts and ~root/.ssh/known_hosts if you
> want it.)
> Do the Internet a service and scan your users' home directories for
> passphrase-less private ssh keys. This is as easy as running
>   # grep -L ENCRYPTED /home/*/.ssh/id_?sa
> Delete all such keys that don't have a good reason for existence.  
> (Yes,
> we do so on all our systems.)

I agree. And to have it still convenient between multiple clusters I  
guide my students to use just one passphrase protected key and an ssh- 
agent in additions. There is nice Howto about it:


But: even with a passphrase the ssh-key should be protected as much  
as possible. Once someone has the private key, any offline brute- 
force to get the passphrase won't take long I fear. They could just  
try to recreate the public part of the key with: ssh-keygen -y which  
is completely offline, as this will also need the passphrase to be  

-- Reuti

More information about the Beowulf mailing list