Re: [xcat-user] Stateless nodes hostkeys
On 10/11/19 6:31 PM, Thomas HUMMEL wrote: Does a "simple" per host keys solution through sync'ing precreated (at nodeadd time) keys seems crazy to you ? I mean, synfiles is a postscript as remoteshell wouldn't it be conceptually equivalent ? -- TH ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] Stateless nodes hostkeys
On 10/11/19 6:18 PM, Vinícius Ferrão via xCAT-user wrote: Is there’s something else uncovered? You're right. Besides, what I don't like in remote shell is that I think it touches sshd_config on the node (which may also cause issues as some directives list 'Host' has to be at the end)... Still I don't understand the updatenode -F / xdcp -F issue I discovered as I described 2 messages above)... Does a "simple" per host keys solution through sync'ing precreated (at nodeadd time) keys seems crazy to you ? Thanks -- TH ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] Stateless nodes hostkeys
Sent from my iPhone > On 11 Oct 2019, at 13:10, Thomas HUMMEL wrote: > > On 10/11/19 6:02 PM, Vinícius Ferrão via xCAT-user wrote: >> Thomas take a look at Jarrod’s message. It’s from two days ago. > > Hello, > > I did. Thanks >> All those questions are there. >> And yes, Ross was talking about host keys. This is an issue with modern >> authentication. Everything is explained there. > > My understanding is that for now, as secureshell is not released yes I indeed > want remoteshell. Yes. But since you’re retailoring your system you should consider the security implications of that. If you want to keep per host keys without any additional infrastructure a mechanism should be implemented to keep the keys sane. Ir you don’t care for security, which is fine depending the case, remote shell in fact does what you want but be aware of the consequences. It’s an old script and can become a problem: for instance the ed25519 host keys are always regerated due to the fact that remoteshell ignores ed25519 keys. There’s a lot of ideias from Jarrod to reimplement something better. My path is to disable remoteshell completely and use SSSD to handle the host keys. Whatever you choose might work but keep in mind the issues. Is there’s something else uncovered? > > Thanks > > -- > TH > > > > ___ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] Stateless nodes hostkeys
On 10/11/19 6:02 PM, Vinícius Ferrão via xCAT-user wrote: Thomas take a look at Jarrod’s message. It’s from two days ago. Hello, I did. Thanks All those questions are there. And yes, Ross was talking about host keys. This is an issue with modern authentication. Everything is explained there. My understanding is that for now, as secureshell is not released yes I indeed want remoteshell. Thanks -- TH ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] Stateless nodes hostkeys
Thomas take a look at Jarrod’s message. It’s from two days ago. All those questions are there. And yes, Ross was talking about host keys. This is an issue with modern authentication. Everything is explained there. Sent from my iPhone > On 11 Oct 2019, at 12:38, Thomas HUMMEL wrote: > > On 10/11/19 4:20 PM, Russ Auld wrote: >> The postscript you want is 'remoteshell'. It will install the _same_ host >> keys on all nodes. > > You confirm you are talking about host key, not root user ssh key correct ? > >> If you bake host keys into the image, the sshd daemon will not create new >> keys when it starts. Since the host keys are fixed, you can create a >> 'ssh_known_hosts' file with entries for each node and distribute it to your >> login/submit/bastion hosts. > > I thought about something like this. > > Anyway, playing for the first time with updatenode -F / xdcp -F > > I'm experiencing the following : > > Simple test : > > /opt/test/foobar.txt > /opt/test/synclists/list.synclist which content is > >/opt/test/foobar.txt -> /root/foobar.txt > > # xdcp maestro-300 -F /opt/test/synclists/list.synclist > Error: [maestro-xcat]: Noderange missing in command input. > Error: [maestro-xcat]: Failed to dispatch command to any of the following > service nodes: ,maestro-xcat.maestro.pasteur.fr > > Where maestro-xcat is my MN (I don't use SN). > > What am I missing ? > > Thanks > > -- > TH > > > > > ___ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] Stateless nodes hostkeys
On 10/11/19 4:20 PM, Russ Auld wrote: The postscript you want is 'remoteshell'. It will install the _same_ host keys on all nodes. You confirm you are talking about host key, not root user ssh key correct ? If you bake host keys into the image, the sshd daemon will not create new keys when it starts. Since the host keys are fixed, you can create a 'ssh_known_hosts' file with entries for each node and distribute it to your login/submit/bastion hosts. I thought about something like this. Anyway, playing for the first time with updatenode -F / xdcp -F I'm experiencing the following : Simple test : /opt/test/foobar.txt /opt/test/synclists/list.synclist which content is /opt/test/foobar.txt -> /root/foobar.txt # xdcp maestro-300 -F /opt/test/synclists/list.synclist Error: [maestro-xcat]: Noderange missing in command input. Error: [maestro-xcat]: Failed to dispatch command to any of the following service nodes: ,maestro-xcat.maestro.pasteur.fr Where maestro-xcat is my MN (I don't use SN). What am I missing ? Thanks -- TH ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] Stateless nodes hostkeys
The postscript you want is 'remoteshell'. It will install the _same_ host keys on all nodes. If you bake host keys into the image, the sshd daemon will not create new keys when it starts. Since the host keys are fixed, you can create a 'ssh_known_hosts' file with entries for each node and distribute it to your login/submit/bastion hosts. There was a discussion regarding this behavior on the list recently. I recommend reading the message from Jarrod Johnson. > On October 11, 2019 at 9:15 AM Thomas HUMMEL wrote: > > > Hello, > > For an HPC cluster, using xCAT-server-2.14.6 on CentOS 7.7 x86_64, I'm > booting stateless nodes from a single osimage. > > My question is about how to deal with the fact that their ssh hostkeys > change each time they boot. > > Previously only the HPC "submit" node could ssh to the compute nodes so > we made an ssh_config file on it which would ignore the change of ssh > hostkeys of the computes. > > Now almost anyone will be allowed to ssh to the compute nodes, thus the > need for those to always have the same ssh hostkey across reboots. > > What is the best way to implement this ? > > I'm not sure about xcatconfig (and what are the keys in > /etc/xcat/hostkeys for). > > My idea was to externally generate one host key per node on the > management node just after the node creation (nodeadd) and to sync them > using a postscript (not sure if the postscript would occur soon enough, > i.e. before sshd-keygen.service, though) > > What do you think ? > > Thanks > > -- > Thomas HUMMEL > > > > ___ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
[xcat-user] Stateless nodes hostkeys
Hello, For an HPC cluster, using xCAT-server-2.14.6 on CentOS 7.7 x86_64, I'm booting stateless nodes from a single osimage. My question is about how to deal with the fact that their ssh hostkeys change each time they boot. Previously only the HPC "submit" node could ssh to the compute nodes so we made an ssh_config file on it which would ignore the change of ssh hostkeys of the computes. Now almost anyone will be allowed to ssh to the compute nodes, thus the need for those to always have the same ssh hostkey across reboots. What is the best way to implement this ? I'm not sure about xcatconfig (and what are the keys in /etc/xcat/hostkeys for). My idea was to externally generate one host key per node on the management node just after the node creation (nodeadd) and to sync them using a postscript (not sure if the postscript would occur soon enough, i.e. before sshd-keygen.service, though) What do you think ? Thanks -- Thomas HUMMEL ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
