[GE users] Any reason not to have all user's workstations as submit hosts?

massot bernard.massot at ens.fr
Wed Apr 14 09:36:33 BST 2010


On Mon, Apr 12, 2010 at 01:12:40PM -0700, benmwebb wrote:
> Even if you could prevent your users from rooting the workstation and
> thus impersonating any user, the network protocol between submit host
> and SGE master trusts the submit host and does not require an
> originating port < 1024, so a cunning user can simply hack up their
> own SGE client and submit jobs as any user even without rooting the
> box.
> 
> To at least partially solve this problem, you could deploy CSP
On my network I consider users can't get root access on submit hosts but
IP spoofing is quite easy. I first looked at the certificates approach
but quickly felt it would be cumbersome to deploy and maintain.
I chose to use IPsec with preshared keys to authenticate submit hosts
and exec hosts to the master. It's simple and works well for me.
-- 
Bernard Massot

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=253355

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list