node accounts
Many of your questions may have already been answered in earlier discussions or in the FAQ. The search results page will indicate current discussions as well as past list serves, articles, and papers.
Martin Siegert siegert at sfu.caTue Sep 12 14:16:22 PDT 2000
- Previous message: node accounts
- Next message: node accounts
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi all, On Tue, 12 Sep 2000, Peter Jay Salzman wrote: > currently, when i change passwords, i have to go through this huge > rigamarole of creating a local passwd/shadow and rdisting it to all the > nodes. > > needless to say, this is a huge waste of time and more complex than it ought > to be. > > i was thinking of using NIS on the nodes. the NIS HOWTO mentions that using > NIS with shadow is a big security risk since you lose the security of shadow > passwords. however, we're not too concerned with security among the nodes > because the front end acts as a firewall: > > / > --net---- front end ---- nodes > \ > > and we've gotten rid of telnetd/ftpd/httpd on the front end, and implemented > very restrictive tcp wrappers. basically, only a few selected hosts are > allowed to do anything with the front end. we only use ssh to go in/out to > the front end. > > so here are my questions: > 1- how do other beowulf admins manage accounts on nodes? do other people > use NIS? is there an alternative? > 2- using NIS, can i share other useful files like /etc/group or the lamhosts > file? > > this is on a beowulf on x86 architecture running linux. Why do you want to run NIS? I believe that this is an unnecessary security risk. If your nodes are on a private network, then there is a very simple solution: Allow logins from the outside world only to the master node (no ip-forwarding). Then allow rsh without passwords to the internal nodes by listing all nodes in /etc/hosts.equiv. Put "ALL : ALL" into /etc/hosts.deny on the master and list the internal nodes in /etc/hosts.allow besides everything else you want to allow on the master (you definitely don't want to allow rsh from the outside there; I only allow connections to sshd in hosts.allow from the outside). Then everytime you create a new account you rdist /etc/passwd, /etc/shadow, and /etc/group over the cluster. Then you "chmod 500 /usr/bin/passwd" on the internal nodes and tell your users that they can change their password on the master only. Then there is no need to periodically update /etc/shadow on the internal nodes everytime somebody changes a user password, since no program is ever going to look at /etc/shadow on the internal nodes. This requires that a user who wants to login to an internal node must login to the master first, but that isn't really a disadvantage because passwords don't have to be typed again. Furthermore, from a sysadmin's point of view, this has the huge advantage that you only have to secure the master node which makes your life quite a bit easier. Cheers, Martin ======================================================================== Martin Siegert Academic Computing Services phone: (604) 291-4691 Simon Fraser University fax: (604) 291-4242 Burnaby, British Columbia email: siegert at sfu.ca Canada V5A 1S6 ========================================================================
- Previous message: node accounts
- Next message: node accounts
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Beowulf mailing list