Re: [OMPI users] password-less ssh
I took a few of the points from this thread and updated the rsh faq entry (I almost fell out of my chair when I saw "lamboot" and "recon" still listed in that entry -- yoinks!). More updates would be greatly appreciated; could you send a diff against: http://svn.open-mpi.org/svn/ompi-www/trunk/faq/rsh.inc On Feb 20, 2010, at 6:14 PM, Mark Hahn wrote: > > Okay, yes, setting SSH_AUTH_SOCK is the right thing to do, but this strikes > > me as clumsy. > > normally, you should run ssh-agent only on the machine where you sit. > it operates until you logout (you can also tell it to discard keys). > ssh-agent is normally part if your X startup sequence, so that all > terminals/etc inherit SSH_AUTH_SOCK and can do agent-based operations. > > > I'm trying to understand how things should be set up so that I > > don't have to take special action each time I log in. Do I do some > > .login/.logout magic? > > no, that would be very clumsy. > > > Or, why not just go without a DSA passphrase? The passphrase only protects > > me from root, before whom I am rather powerless anyhow. > > unencrypted keys are the moral equivalent of putting your password > into a file, in the clear. anyone who gains access to the file _owns_ > your accounts. > > > Also, the OMPI FAQ says authorized_keys should have 644 protection. Out on > > the web, it appears people advise 600, which doesn't make sense to me since > > it just has public keys in it anyhow. (My head is starting to spin.) > > it shouldn't be 644, since there's no reason for unrelated users to know > what keys permit login to your account. the answer is also wrong about > permissions for home and .ssh directories: there's no ssh reason for > either to be readable by group or other. what ssh is most picky about > is that it doesn't want ~, .ssh or .ssh/authorized_keys to be writable, > even by group. that is, no one but the user should be able to alter > what keys permit login. but I can't think of any reason to permit > anyone, even in your group, to read .ssh, either. > > >>> This is with regards to http://www.open-mpi.org/faq/?category=rsh#ssh-keys > > this page is not wonderful. > > a pretty common structure for clusters is that both login and compute nodes > are in the same administrative domain. that is, the same definition of valid > users, shared home directory, etc. as such, the most robust, least-effort > use of ssh is to make the compute nodes trust (via hostbased shosts.equiv) > the login nodes. > > >>> Also, it appears that I do *NOT* have an ssh-agent running automatically > >>> for me. How often do I have to start one up? It appears that if I start > > many desktop distos will start ssh-agent automatically - for instance, > .Xclients might do > exec ssh-agent startkde > (this means that X starts ssh-agent as a parent to your window manager, > the main point of which is that the WM and all the apps it starts will > inherit your SSH_AUTH_SOCK setting. you'll want to run ssh-add as well > to actually provide the agent with keys. when you logout, the agent > goes away as it should. > > >>> one up and log out and then log back in again, the old ssh-agent is still > > ssh-agent should run on your desktop, since you fundamentally must trust > the machine you sit at. you should avoid starting a remote ssh-agent > (and should avoid agent forwarding if possible.) > > >>> there but not usable. I have to start up a new one. So, do I have to > >>> start an ssh-agent each time I log in? > >>> > >>> Or, I could use no DSA passphrase, but that seems to be frowned upon. > > it's just hazardous. if the unencrypted private key file never leaves > your desktop, it's not entirely stupid, but putting an unencrypted priv key > on remote machine or fileserver is just asking to be owned. (though it is > useful to note that the authorized_keys file format can express some pretty > powerful restrictions on how the key can be used - only from certain hosts, > only to do a certain command, etc.) > > regards, mark hahn. > ___ > users mailing list > us...@open-mpi.org > http://www.open-mpi.org/mailman/listinfo.cgi/users > -- Jeff Squyres jsquy...@cisco.com For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/
Re: [OMPI users] password-less ssh
Mark Hahn wrote: This is with regards to http://www.open-mpi.org/faq/?category=rsh#ssh-keys this page is not wonderful. Hmm, okay, so a non-technical question here: Would you be willing to rewrite it? It has to pass the dummy test, though. I make two offers: 1) I'm willing to put back the changes if you're not familiar with how to modify the FAQ. 2) I'm willing to put your changes to the dummy test. Specifically, I'll be the dummy.
Re: [OMPI users] password-less ssh
Okay, yes, setting SSH_AUTH_SOCK is the right thing to do, but this strikes me as clumsy. normally, you should run ssh-agent only on the machine where you sit. it operates until you logout (you can also tell it to discard keys). ssh-agent is normally part if your X startup sequence, so that all terminals/etc inherit SSH_AUTH_SOCK and can do agent-based operations. I'm trying to understand how things should be set up so that I don't have to take special action each time I log in. Do I do some .login/.logout magic? no, that would be very clumsy. Or, why not just go without a DSA passphrase? The passphrase only protects me from root, before whom I am rather powerless anyhow. unencrypted keys are the moral equivalent of putting your password into a file, in the clear. anyone who gains access to the file _owns_ your accounts. Also, the OMPI FAQ says authorized_keys should have 644 protection. Out on the web, it appears people advise 600, which doesn't make sense to me since it just has public keys in it anyhow. (My head is starting to spin.) it shouldn't be 644, since there's no reason for unrelated users to know what keys permit login to your account. the answer is also wrong about permissions for home and .ssh directories: there's no ssh reason for either to be readable by group or other. what ssh is most picky about is that it doesn't want ~, .ssh or .ssh/authorized_keys to be writable, even by group. that is, no one but the user should be able to alter what keys permit login. but I can't think of any reason to permit anyone, even in your group, to read .ssh, either. This is with regards to http://www.open-mpi.org/faq/?category=rsh#ssh-keys this page is not wonderful. a pretty common structure for clusters is that both login and compute nodes are in the same administrative domain. that is, the same definition of valid users, shared home directory, etc. as such, the most robust, least-effort use of ssh is to make the compute nodes trust (via hostbased shosts.equiv) the login nodes. Also, it appears that I do *NOT* have an ssh-agent running automatically for me. How often do I have to start one up? It appears that if I start many desktop distos will start ssh-agent automatically - for instance, .Xclients might do exec ssh-agent startkde (this means that X starts ssh-agent as a parent to your window manager, the main point of which is that the WM and all the apps it starts will inherit your SSH_AUTH_SOCK setting. you'll want to run ssh-add as well to actually provide the agent with keys. when you logout, the agent goes away as it should. one up and log out and then log back in again, the old ssh-agent is still ssh-agent should run on your desktop, since you fundamentally must trust the machine you sit at. you should avoid starting a remote ssh-agent (and should avoid agent forwarding if possible.) there but not usable. I have to start up a new one. So, do I have to start an ssh-agent each time I log in? Or, I could use no DSA passphrase, but that seems to be frowned upon. it's just hazardous. if the unencrypted private key file never leaves your desktop, it's not entirely stupid, but putting an unencrypted priv key on remote machine or fileserver is just asking to be owned. (though it is useful to note that the authorized_keys file format can express some pretty powerful restrictions on how the key can be used - only from certain hosts, only to do a certain command, etc.) regards, mark hahn.
Re: [OMPI users] password-less ssh
Hi, Am 20.02.2010 um 00:11 schrieb Eugene Loh: Okay, yes, setting SSH_AUTH_SOCK is the right thing to do, but this strikes me as clumsy. I'm trying to understand how things should be set up so that I don't have to take special action each time I log in. Do I do some .login/.logout magic? Or, why not just go without a DSA passphrase? The passphrase only protects me from root, before whom I am rather powerless anyhow. you mean, that root could use your ssh-key? When you are having an agent running, root can hijack the created socket in /tmp. A good explanation you can find here: http://unixwiz.net/techtips/ssh-agent-forwarding.html KDE and Gnome start the agent automatically, once you use ssh-add (sometimes the graphical ssh-askpass is missing and must be installed). I have somewhere a small script to recover a saved agent configuration once it was started even for non-graphical based sessions. I'll post it later. But there is more to dicuss. Some even suggest to encrypt the ~/.ssh/ know_hosts file, so that noone would know where you used to log in once he intruded your account. But most likely it's in the bash history anyway, so there would be a HOSTIGNORE="ssh*:scp*" necessary in bash. And as a next step, any convenient setting in ~/.ssh/config can't be used to abbreviate the logins... But it's good to use passphrase anyway, although it can be cracked locally by an attempt to change it with `ssh-keygen -y` - no delay by failed login attempt, so it could be really fast... I also suggest to follow the complete thread starting with: http://ftp.beowulf.org/archive/2009-September/026424.html from http://ftp.beowulf.org/archive/2009-September/thread.html which ended in using hostbased authentication inside a cluster. Also, the OMPI FAQ says authorized_keys should have 644 protection. Out on the web, it appears people advise 600, which doesn't make sense to me since it just has public keys in it anyhow. (My head is starting to spin.) Correct, 644 is fine. -- Reuti Kenneth Yoshimoto wrote: After you start up ssh-agent once, check env for SSH_AUTH_SOCK If you start a new session and the old ssh-agent is still running, try setting SSH_AUTH_SOCK. I think there are more refined utilities out there to handle this situation... On Fri, 19 Feb 2010, Eugene Loh wrote: Date: Fri, 19 Feb 2010 13:19:13 -0800 From: Eugene Loh <eugene@sun.com> Reply-To: Open MPI Users <us...@open-mpi.org> To: Open MPI Users <us...@open-mpi.org> Subject: [OMPI users] password-less ssh This is with regards to http://www.open-mpi.org/faq/? category=rsh#ssh-keys It says to check if you have an ssh-agent running. How are you supposed to do that? I've tried "ps -u myusername | grep ssh- agent", but didn't know if that's the proper thing to do. Also, it appears that I do *NOT* have an ssh-agent running automatically for me. How often do I have to start one up? It appears that if I start one up and log out and then log back in again, the old ssh-agent is still there but not usable. I have to start up a new one. So, do I have to start an ssh-agent each time I log in? Or, I could use no DSA passphrase, but that seems to be frowned upon. ___ users mailing list us...@open-mpi.org http://www.open-mpi.org/mailman/listinfo.cgi/users
Re: [OMPI users] password-less ssh
Okay, yes, setting SSH_AUTH_SOCK is the right thing to do, but this strikes me as clumsy. I'm trying to understand how things should be set up so that I don't have to take special action each time I log in. Do I do some .login/.logout magic? Or, why not just go without a DSA passphrase? The passphrase only protects me from root, before whom I am rather powerless anyhow. Also, the OMPI FAQ says authorized_keys should have 644 protection. Out on the web, it appears people advise 600, which doesn't make sense to me since it just has public keys in it anyhow. (My head is starting to spin.) Kenneth Yoshimoto wrote: After you start up ssh-agent once, check env for SSH_AUTH_SOCK If you start a new session and the old ssh-agent is still running, try setting SSH_AUTH_SOCK. I think there are more refined utilities out there to handle this situation... On Fri, 19 Feb 2010, Eugene Loh wrote: Date: Fri, 19 Feb 2010 13:19:13 -0800 From: Eugene Loh <eugene@sun.com> Reply-To: Open MPI Users <us...@open-mpi.org> To: Open MPI Users <us...@open-mpi.org> Subject: [OMPI users] password-less ssh This is with regards to http://www.open-mpi.org/faq/?category=rsh#ssh-keys It says to check if you have an ssh-agent running. How are you supposed to do that? I've tried "ps -u myusername | grep ssh-agent", but didn't know if that's the proper thing to do. Also, it appears that I do *NOT* have an ssh-agent running automatically for me. How often do I have to start one up? It appears that if I start one up and log out and then log back in again, the old ssh-agent is still there but not usable. I have to start up a new one. So, do I have to start an ssh-agent each time I log in? Or, I could use no DSA passphrase, but that seems to be frowned upon.
Re: [OMPI users] password-less ssh
After you start up ssh-agent once, check env for SSH_AUTH_SOCK If you start a new session and the old ssh-agent is still running, try setting SSH_AUTH_SOCK. I think there are more refined utilities out there to handle this situation... Kenneth On Fri, 19 Feb 2010, Eugene Loh wrote: Date: Fri, 19 Feb 2010 13:19:13 -0800 From: Eugene Loh <eugene@sun.com> Reply-To: Open MPI Users <us...@open-mpi.org> To: Open MPI Users <us...@open-mpi.org> Subject: [OMPI users] password-less ssh This is with regards to http://www.open-mpi.org/faq/?category=rsh#ssh-keys It says to check if you have an ssh-agent running. How are you supposed to do that? I've tried "ps -u myusername | grep ssh-agent", but didn't know if that's the proper thing to do. Also, it appears that I do *NOT* have an ssh-agent running automatically for me. How often do I have to start one up? It appears that if I start one up and log out and then log back in again, the old ssh-agent is still there but not usable. I have to start up a new one. So, do I have to start an ssh-agent each time I log in? Or, I could use no DSA passphrase, but that seems to be frowned upon. ___ users mailing list us...@open-mpi.org http://www.open-mpi.org/mailman/listinfo.cgi/users
[OMPI users] password-less ssh
This is with regards to http://www.open-mpi.org/faq/?category=rsh#ssh-keys It says to check if you have an ssh-agent running. How are you supposed to do that? I've tried "ps -u myusername | grep ssh-agent", but didn't know if that's the proper thing to do. Also, it appears that I do *NOT* have an ssh-agent running automatically for me. How often do I have to start one up? It appears that if I start one up and log out and then log back in again, the old ssh-agent is still there but not usable. I have to start up a new one. So, do I have to start an ssh-agent each time I log in? Or, I could use no DSA passphrase, but that seems to be frowned upon.
