[Beowulf] Intra-cluster security
Many of your questions may have already been answered in earlier discussions or in the FAQ. The search results page will indicate current discussions as well as past list serves, articles, and papers.
Reuti reuti at Staff.Uni-Marburg.DESun Sep 13 08:03:37 PDT 2009
- Previous message: [Beowulf] Intra-cluster security
- Next message: [Beowulf] Intra-cluster security
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am 13.09.2009 um 12:31 schrieb Leif Nixon: > <snip> > This is the way to go. All our systems are set up this way. Works just > fine. You just need a mechanism for maintaining host keys and > ssh_known_hosts. (And remember that this doesn't work for root - you > need separately set up ~root/.shosts and ~root/.ssh/known_hosts if you > want it.) > > Oh, and DO NOT USE PASSPHRASE-LESS PRIVATE KEYS! > > Do the Internet a service and scan your users' home directories for > passphrase-less private ssh keys. This is as easy as running > > # grep -L ENCRYPTED /home/*/.ssh/id_?sa > > Delete all such keys that don't have a good reason for existence. > (Yes, > we do so on all our systems.) I agree. And to have it still convenient between multiple clusters I guide my students to use just one passphrase protected key and an ssh- agent in additions. There is nice Howto about it: http://unixwiz.net/techtips/ssh-agent-forwarding.html But: even with a passphrase the ssh-key should be protected as much as possible. Once someone has the private key, any offline brute- force to get the passphrase won't take long I fear. They could just try to recreate the public part of the key with: ssh-keygen -y which is completely offline, as this will also need the passphrase to be entered. -- Reuti
- Previous message: [Beowulf] Intra-cluster security
- Next message: [Beowulf] Intra-cluster security
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Beowulf mailing list