[Beowulf] passwordless rsh/ssh

Geoff Jacobs gdjacobs at gmail.com
Tue Jun 21 19:14:34 PDT 2005


Cheng, Kevin wrote:

> Dear all
>
> I manage to get rshd/rsh and ssh to work. I can rsh / ssh to myself
> localhost. I notice that I cannot log in as root via rsh and have to
> use a normal user account for rsh. Is this normal? Does it matter to
> MPICH whether it's root or not root passwordless login?
>
> When I ssh/rsh to another machine I have to use it's IP address. How
> do I get around this so that I can rsh/ssh using hostname?
>
> I manage to get ssh passwordless to localhost, but not to other hosts.
> If I was using ssh, how would I configure MPICH-1 to use ssh instead
> of it using rsh by default?
>
> Did anyone know how to make rsh passwordless?
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Beowulf mailing list, Beowulf at beowulf.org
>To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
>  
>
First, security considerations. Rsh has large security problems. It is
susceptible to both packet-sniff attacks and spoof attacks. Executing
such attacks is a trivial matter if the machine accepting rsh sessions
is not on a separate, trusted network. Any beowulf-style cluster using
rsh as the underlying protocol for MPICH or whatever must exist behind a
good firewall and have a trusted userbase.

If you wish to make rsh passwordless, create a file called .rhosts in
your home directory. If your username is fred and login/shell machine is
called bedrock, this file should contain a couple of lines formatted as
follows:

localhost   fred
bedrock   fred

This file must exist in your home directory for every machine where you
want passwordless rsh access.

Public key authenticated ssh is passwordless, but has few of the
problems of rsh. I believe most people, including yours truly, would
consider this method safe enough to be used on a public network.

In your $HOME/.ssh directory, create a file:

cd ~/.ssh
touch authorized_keys
chmod 600 authorized_keys

If you have not generated an ssh keypair on your client, type

ssh-keygen -t dsa

and follow the prompts. Then copy the private key into the
authorized_keys file:

cat id_dsa.pub >> authorized_keys

On any machine where you want passwordless ssh logins, copy the
authorized keys file from your client into the ssh directory under your
home on the target machine.

scp ~/.ssh/authorized_keys fred at target:~/.ssh/authorized_keys

Test the configuration by typing:

ssh fred at target ls -l ~/.ssh

You should get output like
total 2
-rw-------  1 fred fred   601 Jun 13 18:27 /home/fred/.ssh/authorized_keys
-rw-r--r--  1 fred fred 1394 May 24 20:19 /home/fred/.ssh/known_hosts

without entering a password.

It is critical that permissions remain correct for your authorized_keys
file on the target machine. If they are not correct (i.e. someone borked
the umask), you may still be asked for a password. If the line in front
of authorized_keys in the above command does not read -rw-------, then type

ssh fred at target chmod 600 ~/.ssh/authorized_keys.

and use your password for the last time in this example.
-- 

Geoffrey D. Jacobs
MORE CORE AVAILABLE, BUT NONE FOR YOU.




More information about the Beowulf mailing list