[EMAIL PROTECTED] wrote: >> unless you really want to run programs as root, I wouldn't recommend >> to allow root login at all with ssh. Better is to have to login as a >> user first, and then su to root. > > I disagree with this, actually. first, "su root" is almost always the > worst thing to do, since it requires that you have an easy-to-type > password for root, and that you quite possibly type it frequently. > using an SSH identity for logging in directly as root is surely more > secure. that's my preferred technique - I run ssh-agent > so almost never type any password. Using passworded ssh key authentication is, I believe, the most secure remote login setup. Secure enough that I expect one could reduce the length of the password to something reasonable (but still not brute forcible).
> but even if you don't like that, surely sudo is better than "su root", > though it does mean the onus of difficulty falls to your password. > (and for multiple admins, it means that root effectively has a password > hardness N times lower than the admin user passwords...) > the logging performed by sudo is, IMO, of marginal value - it means that > someone spends time reading it, and while it's an OK audit trail > for figuring out what happened, it's of no value forensically > (since any serious attacker will compromise syslog.) The usage schema of sudo is inherently safer -- increase privilege for one task only, then go back to SOP. Control is also more granular, so it is more secure. >> If you use rsh, you also don't need any passwordless ssh login. After >> putting all the nodes in all /etc/hosts.equiv the rsh should allow >> already a passwordless login to the nodes. With setting P4_RSHCOMMAND, >> it will target compiled programs. > > right - I don't have a problem with rsh as an internal cluster spawn > method. > though since you almost certainly also have sshd running, it makes sense > to have fewer daemons. It's okay for a small cluster where you have really good control over the users. I don't think there's a point to it anymore, though. No real performance advantage, and it's not any more simple to configure. http://www.beowulf.org/archive/2004-November/011247.html > regards, mark hahn. > _______________________________________________ > Beowulf mailing list, [email protected] > To change your subscription (digest mode or unsubscribe) visit > http://www.beowulf.org/mailman/listinfo/beowulf > -- Geoffrey D. Jacobs Go to the Chinese Restaurant, Order the Special _______________________________________________ Beowulf mailing list, [email protected] To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
