[Beowulf] Newbie

Leif Nixon nixon at nsc.liu.se
Thu Jan 5 07:33:35 PST 2006


"Robert G. Brown" <rgb at phy.duke.edu> writes:

> I agree heartily.  In fact, I almost wrote to say so, but I'm being
> discrete these days.

Hah.

> However, if any account is compromised by any means whatsoever, you're
> equally screwed regardless of how you authenticate at the shell level.

Kerberos-style security can give you a certain level of extra
protection, depending on the circumstances, so there *are* different
shades of screwedness.

In general, you need to think long and hard about the trust domains
within a cluster. Adopting the view "This cluster is a single big
machine. We don't need no steeking internal security barriers" is a
bad idea; you want to contain intrusions as much as possible. Limit
the ways root can ssh within the cluster, export your filesystems
ro/nosuid as far as possible, disable user login on all machines they
don't need to login on...

-- 
Leif Nixon                       -            Systems expert
------------------------------------------------------------
National Supercomputer Centre    -      Linkoping University
------------------------------------------------------------



More information about the Beowulf mailing list