SSH and clusters

Dylan A. Loomis dylan@aero.org
Wed, 2 Jun 1999 21:45:17 -0400 

--Fig2xvG2VGoz8o/s
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

On Wed, Jun 02, 1999 at 01:42:33AM -0700, Philip Juels wrote:
> Sometimes my users simply want to run a batch process on any given node
> within our cluster as opposed to true parallel processing.  So they use
> ssh to access the master node of our cluster and then rlogin or telnet
> to access the clients from the master (the client nodes are on an
> isolated intranet with the master acting as gatekeeper).  Is this
> insecure?  Should we run ssh for connections withing the cluster?  My
> understanding of ssh is that it's like a secure pipe...anything on top
> of it should be encrypted.
>=20
> Thanks,
>=20
> Philip Juels
> philip_juels@harvard.edu

Philip, the short answer to your questions is yes this is secure, the long
answer is that it depends on where you want your security.  If you are
primarily worried about people sniffing traffic destined from the outside,
passing through your Gatekeeper to the clustered machines, then using
ssh to connect to the Gatekeeper and using rsh from there (Gatekeeper
to Compute node) will be fine.

In this case data is encrypted until the Gatekeeper, then within the private
network it is sent cleartext, so as long as you trust your compute nodes th=
is
is fine.

So the person connects:

             -Encrypted-
Outside Host --- SSH --- Gatekeeper
             -Encrypted-

Then once the have ssh'd to the Gatekeeper they rsh to Compute node:

             -Encrypted-            -Cleartext-
Outside Host --- SSH --- Gatekeeper --- rsh --- Compute node
             -Encrypted-            -Cleartext-

Only the Gatekeeper to Compute node traffic is vulnerable, the traffic
from the Outside host to the Gatekeeper stays encrypted.  So unless
someone is sniffing on either the Gatekeeper, or one of the Compute
nodes, your fine.

					hope that helps -DAL-

--=20
Dylan A. Loomis
Computer Systems Research Department     The Aerospace Corporation
e-mail: dylan@aero.org                   phone: (310) 336-2449

PGP Key fingerprint =3D  55 DE BB DD 34 10 CD 20  72 79 88 FE 02 0E 21 3A
PGP 2.6.2 key available upon request

--Fig2xvG2VGoz8o/s
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN1XeEezCrQVfDVWRAQH9vAP/bIxHJiXF7PM4dmNfELVRTnR/21xqCUqE
kCHwI5uLptgDmOyOudurMWsg7wO855rGqyjrGDiJO32MNcNEikePQAKPVmu3r4ht
JI7uHcpwAHVsCu+XclKc9t1++ZHgr42pPXfOCC9ICiE553H0wVqwHVEKdMfeYwyc
XF4Hr9Qm/6I=
=xqVg
-----END PGP SIGNATURE-----

--Fig2xvG2VGoz8o/s--