On Fri, 28 Jul 2006, Leif Nixon wrote:
Geoff Jacobs <[EMAIL PROTECTED]> writes:
[EMAIL PROTECTED] wrote:
right - I don't have a problem with rsh as an internal cluster spawn
method.
though since you almost certainly also have sshd running, it makes sense
to have fewer daemons.
It's okay for a small cluster where you have really good control over
the users.
Now, THAT'S a very dangerous mindset. Even if you can be 100% sure
there are no bad apples among your users, every single HPC related
...and you can't. Or at least if you are sure, eventually you'll be
sure -- and wrong. I'm personally familiar with several cases of trust
abused, and a couple more where a user turned out to be mentally ill
(seriously). As in not responsible for their actions, and off the deep
end paranoid about what others might be saying about them.
Times like that, you'll be very glad that you have sshd running, strong
passwords that aren't posted on a bulletin board in the server room in
plain sight, and have exercised what I'd call purely "professional good
judgement" in the way the system was configured to protect the rights
and privacy of all users.
ssh is totally inobtrusive (compared to rsh), adds useful features
missing from rsh, adds an irrelevant bit of overhead (irrelevant for
nearly all applications, at any rate) and closes just about all possible
plaintext snooping, id thieving loopholes that were exploited for years
with rsh. Running it inside a scyld-type beowulf, where the cluster has
no private data, where the cluster is "a computer", where you cannot
login to a node with or without rsh, maybe that's ok. Running it where
there is any chance that abuse could result in compromising a user's
account, well, it is your job to make that impossible. Period. If you
don't, it will be your fault, not just your responsibility, when it
sooner or later happens.
intrusion I'm aware of the last couple of years has started off by
stealing passwords or keys and masquerading as legitimate users.
Not just the last couple of years. Try the last couple of decades. Or
maybe even three (how old IS unix, anyway)?
rgb
--
Robert G. Brown http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567 Fax: 919-660-2525 email:[EMAIL PROTECTED]
_______________________________________________
Beowulf mailing list, [email protected]
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
