Hi Jonathan, Yes, we have dedicated personal admins accounts. But they're also centrally configured on AD. The problem stays the same.
We don't have an EMS for those nodes. Our CES nodes are in a storage-less cluster (the storage is accessed via remote-cluster mount) and we install them via our puppet-based infrastructure. Thanks for the suggestion of using pam_krb5. I'm not a big fan since RHEL discontinued it in favour of SSSD, but I'll check it out. Regards, Ivano __________________________________________ Paul Scherrer Institut Ivano Talamo OBBA/230 Forschungsstrasse 111 5232 Villigen PSI Schweiz Phone: +41 56 310 47 11 E-Mail: [email protected] Available: Monday - Wednesday ________________________________ From: gpfsug-discuss <[email protected]> on behalf of Jonathan Buzzard <[email protected]> Sent: 23 July 2024 13:29 To: [email protected] <[email protected]>; [email protected] <[email protected]> Subject: Re: [gpfsug-discuss] ssh authentication on CES nodes On Tue, 2024-07-23 at 10:11 +0000, Paul Ward wrote: > Hi Ivano, > > I am curious about this line of your message: > “For us that's quite annoying, since we can't login with our > personal/central accounts and then sudo.” > > We only allow administrator access to the GPFS cluster via the EMS > nodes. We will be restricting them to MFA based access. > We then navigate to all other nodes from one of them. > > My guess would be that administrators log onto the cluster using their personal/central accounts and then use sudo to issue administrative commands. This creates a log of who issued what commands at what time. Useful when you have more than one administrator and provides a level of tracking. Though personally I think using your "personal" everyday account for this is suboptimal. Best practice would suggest have a separate personal administrator account. So for example in a previous life my normal everyday account was njab14 no different than anyone else's account, but my I had a separate account administrator account was sjab14. That could do things like sudo had rights in the AD etc. etc. You can also do things like create groups of users that can log onto things that normal users cant. JAB. -- Jonathan A. Buzzard Tel: +44141-5483420 HPC System Administrator, ARCHIE-WeSt. University of Strathclyde, John Anderson Building, Glasgow. G4 0NG _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
