[GE users] SSH and host keys

reuti reuti at staff.uni-marburg.de
Wed Feb 18 22:54:24 GMT 2009


Am 18.02.2009 um 23:34 schrieb crhea:

>>> You mean for parallel jobs, as you wrote "between" the nodes. Hence
>>> all exec hosts must trust the other exec hosts.
> Yes-- we're just starting to see real parallel jobs. Previously, we  
> did have users who had jobs that created other jobs (so we had the  
> exec host -> exec host trust already set up.)
>> <hostname>,<ip-addr>,<FQDN> ssh-rsa ...
> I didn't need to use host and FQDN (I did FQDN,IP ssh-rsa ...)
> What does NOT work is password-less root access between nodes, but  
> I think this is something specifically blocked by host-based- 
> authentication.

root is different. This must be in ~/.shosts on each node, as root's  
home is local on each node and handled in a special way for security  
reasons. With RSH it was the same in the past. It might also be, that  
PAM must be adjusted. For RSH it was necessary to comment out a line,  
where it was set up that root must come from a local trusted TTY.

> What isn't clear is where in the SGE process things are running as  
> root versus running as the actual user. Is (non-root)user->user SSH  
> good enough for parallel jobs?

Yes, user's SSH is good enough.

> Also, FWIW, I set up our cluster to use rsh (so /etc/hosts.equiv  
> has all the cluster nodes and submit hosts, etc). We're running  
> CentOS 5 (RHEL 5) and here are the things I had to set up to allow  
> passwordless SSH (for normal users) between cluster nodes:
> 1. Use /etc/hosts.equiv to gather the RSA keys (here's my quick  
> little script that allows adding the FQDN/IP per Reuti's post):
>   rm /tmp/f.hosts
>     while read a
>     do
>         if [ "$a" = localhost ]; then
>             continue
>         fi
>         b=`host $a | sed 's/^.* //'`
>         echo "$a,$b" >> /tmp/f.hosts
>     done < /etc/hosts.equiv
>     ssh-keyscan -t rsa -f /tmp/f.hosts | sort -n > /tmp/ 
> ssh_known_hosts
>     cp /tmp/ssh_known_hosts /etc/ssh/ssh_known_hosts
> Copy this file (/etc/ssh/ssh_known_hosts) to all machines involved.
> vi /etc/ssh/sshd_config
> RhostsRSAAuthentication yes

The above is only for SSH-1 I think, hence it's not necessary to have  
it set toyes.

> HostbasedAuthentication yes
> vi /etc/ssh/ssh_config
> HostbasedAuthentication yes
> EnableSSHKeysign yes  # Add this line
> StrictHostKeyChecking no

Even if you set StrictHostKeyChecking to yes, it should work as in  
ssh_known_hosts the nodes are already listet - but for this you need  
the hostname entry there. The automatic add vanished, when I added  
the hostname to each line there.

As you use SSH: you have workstations and no private network for the  

-- Reuti


To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].

More information about the gridengine-users mailing list