[GE users] Use of "-i" argument to "sshd" in rsh_daemon/rlogin_daemon configuration

Bevan C. Bennett bevan at fulcrummicro.com
Thu Aug 5 22:25:03 BST 2004


> On Thu, Jul 29, 2004 at 01:28:10AM -0700, Greg Earle wrote:
> 
>>Can someone explain to me why it was suggested to use "-i" as an
>>argument to "sshd" if one wants to use SSH instead of the customized
>>NetBSD "rsh"/"rshd" combo that comes with Grid Engine 6.0?

You have to use -i so sshd knows it's being run as a one-off daemon 
(like it would be fron inetd) rather than in it's normal, persistant, mode.

>>I ran straight into a big problem with doing this - namely, if
>>I want to be able to ssh to an exec host without needing a password,
>>I trash the cluster hosts' entries in $HOME/.ssh/known_hosts,
>>then run "qrsh hostname" (or whatever) to each of the exec hosts,
>>in turn, and when SSH asks if it's OK to connect, I say "yes" and
>>let the keys returned get added to $HOME/.ssh/known_hosts.  From
>>then on, I can run Grid jobs without a password, but as soon as I
>>want to run "ssh" from the command line outside of the Grid
>>environment, I get complaints about mis-matched keys and possible
>>man-in-the-middle attacks.
>>
>>Should I consider the fact that I can get Grid jobs to be dispatched
>>remotely without a password but command-line ssh commands get
>>rejected to be a "security feature"?
>>
>>Or is there something wrong in my key setup that causes the
>>on-the-fly key generation (if I'm reading the "-i" switch
>>documentation in the "sshd" man page right) to generate a different
>>key than either what it "should be", or is the key that the
>>ormally-running daemonized "sshd" using the "wrong" key, somehow?
>>It appears that "sshd" will generate 768-bit keys of its own when it
>>starts up, so I tried running "ssh-keygen" to generate all 3 sets of
>>keys on a few hosts with 768-bit keys, copied them to
>>/.ssh/authorized_keys, /.ssh/id_rsa et al., and the standard server
>>directory (.../etc/ssh_host_rsa_key, etc.).
>>
>>But it's still not working ...

I ran into similar sounding problems, until I edited all the exechost 
public keys to contain both the short and fqdn versions of the hostname.

Prev: "aetius,10.0.0.62 ssh-rsa AAAAB3Nz..."
Fixed: "aetius.internal.avlsi.com,aetius,10.0.0.62 ssh-rsa AAAAB3Nz..."

I also make sure that the combined set of adjusted public keys is 
installed on every submit host as /etc/ssh/ssh_known_hosts.

Also, do you start SGE as root on the exec hosts? If you don't than the 
sshd they try to start may not be able to read your standard sshd 
configuration information from /etc/ssh/... that might cause it to 
generate a new different host key.

Look at the key that you accept when you qrsh and compare it to the key 
you get when you just ssh (you'll have to move them out of known_hosts 
to get both), then compare both to the public key in /etc/ssh/ on the 
exechost.  Noting the differences between the three should prove 
enlightening.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list