Re: Question on SSH configuration in a cluster environment.

From: Richard E. Silverman (res_at_qoxp.net)
Date: 01/17/04

  • Next message: Nico Kadel-Garcia: "Re: Question on SSH configuration in a cluster environment." 
    Date: 17 Jan 2004 14:03:36 -0500

    >>>>> "KL" == Kyler Laird <Kyler@news.Lairds.org> writes:

    >> b. Copy the /usr/local/etc/ssh* and /usr/local/ssh files from the
    >> current node, onto the secondary node.

        KL> Sounds like a winner. If everything is configured identicially so
        KL> that a failover can occur easily, why not have ssh look the same
        KL> too?

    Because now it is impossible for SSH to tell the difference between these
    hosts in *any* situation, not just when users are connecting to the
    clustered service. In other words, when someone does "ssh cluster," they
    simply want to be assured that they are logging into one of the cluster
    machines -- which the solution given here allows:

    http://groups.google.com/groups?&threadm=m1l1ylwuijr.fsf%40sys1.des.jhy.us.ml.com

    However, if a sysadmin does "ssh cluster-member-1", he wants to be assured
    he's actually logging into that box. Giving them all the same key defeats
    that ability; if one box is compromised, they can all be spoofed. 

    -- 
  Richard Silverman
  res@qoxp.net
  • Next message: Nico Kadel-Garcia: "Re: Question on SSH configuration in a cluster environment."

    Relevant Pages

    • Re: Question on SSH configuration in a cluster environment.
      ... >> current node, onto the secondary node. ... Because now it is impossible for SSH to tell the difference between these ... In other words, when someone does "ssh cluster," they ... he's actually logging into that box. ...
      (comp.security.ssh)
    • Re: Question on SSH configuration in a cluster environment.
      ... >> current node, onto the secondary node. ... Because now it is impossible for SSH to tell the difference between these ... In other words, when someone does "ssh cluster," they ... he's actually logging into that box. ...
      (comp.unix.solaris)
    • Re: Bypass known_hosts file
      ... I have a four node cluster running Solaris zones ... In this setup I need have a user that will be logging into a global IP ... from a zone which at any time can be on any node within the cluster. ... I have set up the initial authorized_key file to allow the user to ssh ...
      (comp.security.ssh)
    • Re: Bypass known_hosts file
      ... I have a four node cluster running Solaris zones ... In this setup I need have a user that will be logging into a global IP ... from a zone which at any time can be on any node within the cluster. ... I have set up the initial authorized_key file to allow the user to ssh ...
      (comp.security.ssh)
    • Re: mpich and iptables firewall?
      ... to me it seems a very weird setup to have a firewall running ... on the cluster nodes. ... Using SGE you could disable rsh and ssh completely ... Chain FORWARD ...
      (comp.parallel.mpi)