unless you really want to run programs as root, I wouldn't recommend
to allow root login at all with ssh. Better is to have to login as a
user first, and then su to root.
I disagree with this, actually. first, "su root" is almost always the
worst thing to do, since it requires that you have an easy-to-type
password for root, and that you quite possibly type it frequently.
using an SSH identity for logging in directly as root is surely more
secure. that's my preferred technique - I run ssh-agent
so almost never type any password.
Using passworded ssh key authentication is, I believe, the most secure
remote login setup.
I think you mean passphrase-encrypted key - yes, that's what I meant.
un-passphrase'd keys would be equivalent in crypto-strength, but anyone
who managed to get a hold of the private key would have complete access.
The usage schema of sudo is inherently safer -- increase privilege for
one task only, then go back to SOP. Control is also more granular, so it
is more secure.
the more often as password is typed, the less secure it is.
right - I don't have a problem with rsh as an internal cluster spawn
method.
though since you almost certainly also have sshd running, it makes sense
to have fewer daemons.
It's okay for a small cluster where you have really good control over
the users.
I understand why you would say this, but I don't think it's true:
regardless of the size of the cluster or randomness of the user
community, once someone gets root, they get everything. I don't see
why the number of nodes would make any difference (since they're
probably all running the same distro, therefore have the same holes).
and I'm not sure the use-base matters either, except that more users
mean more chances someone will go grey some weekend, or get compromised.
_______________________________________________
Beowulf mailing list, [email protected]
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
