Yes we follow that principle too. With access to GPFS administration, soon to be restricted to allow access only from specific 'bastions' with mfa implemented on them, to specific management nodes only, not protocol nodes.
Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: [email protected] -----Original Message----- From: gpfsug-discuss <[email protected]> On Behalf Of Jonathan Buzzard Sent: Tuesday, July 23, 2024 12:30 PM To: [email protected]; [email protected] Subject: Re: [gpfsug-discuss] ssh authentication on CES nodes On Tue, 2024-07-23 at 10:11 +0000, Paul Ward wrote: > Hi Ivano, > > I am curious about this line of your message: > "For us that's quite annoying, since we can't login with our > personal/central accounts and then sudo." > > We only allow administrator access to the GPFS cluster via the EMS > nodes. We will be restricting them to MFA based access. > We then navigate to all other nodes from one of them. > > My guess would be that administrators log onto the cluster using their personal/central accounts and then use sudo to issue administrative commands. This creates a log of who issued what commands at what time. Useful when you have more than one administrator and provides a level of tracking. Though personally I think using your "personal" everyday account for this is suboptimal. Best practice would suggest have a separate personal administrator account. So for example in a previous life my normal everyday account was njab14 no different than anyone else's account, but my I had a separate account administrator account was sjab14. That could do things like sudo had rights in the AD etc. etc. You can also do things like create groups of users that can log onto things that normal users cant. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
