[Beowulf] Intra-cluster security
Reuti
reuti at Staff.Uni-Marburg.DE
Sun Sep 13 08:03:37 PDT 2009
Am 13.09.2009 um 12:31 schrieb Leif Nixon:
> <snip>
> This is the way to go. All our systems are set up this way. Works just
> fine. You just need a mechanism for maintaining host keys and
> ssh_known_hosts. (And remember that this doesn't work for root - you
> need separately set up ~root/.shosts and ~root/.ssh/known_hosts if you
> want it.)
>
> Oh, and DO NOT USE PASSPHRASE-LESS PRIVATE KEYS!
>
> Do the Internet a service and scan your users' home directories for
> passphrase-less private ssh keys. This is as easy as running
>
> # grep -L ENCRYPTED /home/*/.ssh/id_?sa
>
> Delete all such keys that don't have a good reason for existence.
> (Yes,
> we do so on all our systems.)
I agree. And to have it still convenient between multiple clusters I
guide my students to use just one passphrase protected key and an ssh-
agent in additions. There is nice Howto about it:
http://unixwiz.net/techtips/ssh-agent-forwarding.html
But: even with a passphrase the ssh-key should be protected as much
as possible. Once someone has the private key, any offline brute-
force to get the passphrase won't take long I fear. They could just
try to recreate the public part of the key with: ssh-keygen -y which
is completely offline, as this will also need the passphrase to be
entered.
-- Reuti
More information about the Beowulf
mailing list