[Beowulf] Blue-sky cluster security [was CLuster - Mpich - tstmachines - Heeelp !!!!!!!!]

[Gerald Davies]

On 7/30/06, Mark Hahn <hahn at physics.mcmaster.ca> wrote:
>
> but if you don't use the sort of trust-delegation stuff, what's the point?
> I'm pretty happy with ssh, which is secure, and requires no configuration.
>

To get a certificate I have to give a passport and other details.  If
anything happens they not only have my details but the certificate can
be revoked and it will prevent me from gaining access to the other
institutions for which I have access.  This seems easier than everyone
running around locking down user accounts after a problem.

>
> hmm, I find that users can most often have the same username everywhere,
> and identity+agent-based ssh means never needing passwords.
>

That's not true for everyone though and certainly not true for
projects than i'm involved in.  I totally agree with the previous
post.  It's a lot easier to manage.  Okay, there's a bit more involved
than reconfiguring ssh...

I would have thought the problems wrt to security are dependent on the
cluster architecture.  I appreciate this is obvious and sounds simple.
 I know that on certain clusters i've seen that if someone gained root
on a head node, regardless of whether or not they could gain access to
other nodes, it would be pretty much game over for the entire cluster.
 In some respects I kind of agreed about the rsh comment in a previous
post, but then it depends on your setup.

-- 
Gerald Davies
---------------------------------------------
w: http://www.geralddavies.com