[Beowulf] Passwordless ssh - strange problem
hahn at mcmaster.ca
Sat Sep 15 11:08:34 PDT 2007
> I haven't had to do this before. Can you explain a bit more (I'm
> reading the man page now).
ssh-agent is a very nice way to use ssh very securely. "very securely"
here means that you use a pubkey with a passphrase. but instead of
having to re-type the passphrase every time the pk is used, ssh-agent
acts as a proxy to do it for you. this is a form of two-factor
the alternative is a passphrase-less pk, which is then exactly
analogous to a physical key, and is one-factor. if someone gets
a copy of your private key, they 0wn your accounts.
in the context of a cluster, passphraseless pk seems to be fairly
commonly used to permit no-password logins among nodes. oscar,
iirc, goes so far as to screw with your .authorized_keys file to
make this work.
if you want passphraseless login among a set of machines, IMO it's
much more sensible to just use the hostbased mode of ssh. basically,
hosts always mutually authenticate themselves (that's what the
known_hosts stuff is all about), so you just add trusted hosts to
/etc/ssh/shosts.equiv. (hostbased is not normally a default config,
since it's inappropriate in normal server farms, but is not hard to
- fill in /etc/ssh/ssh_known_hosts (perhaps via ssh-keyscan).
- list trusted hosts in shosts.equiv.
- add "HostbasedAuthentication yes" to /etc/ssh/sshd_config
and ssh_config, and "EnableSSHKeysign yes" to sshd_config.
I think hostbased ssh is very appropriate within a cluster or perhaps
even within any single domain of administrative control. I strongly
recommend users use ssh-agent and passphrase-protected pk to login, though.
regards, mark hahn.
More information about the Beowulf