Re: [xcat-user] host based authentication
Can't speak highly enough of FreeIPA and SSSD. Support is knowledgable and excellent even at the free level (email lists, documentation). RedHat support means that integration with Active Directory is easy - if necessary. Have used it in two large and complex organisations with success that surprised and impressed me. Am in the process of migrating to it in my current role. It's the authentication and authorisation gold standard for organisations of size or complexity. L. On Wed, 22 Jan 2020 at 20:29, Josef Dvoracek wrote: > > > I’m using FreeIPA too so the hostkeys are stored on LDAP, it's > integrated. > > thanks for mentioning this. I was struggling to design simple AND secure > hostkey deployment mechanism. Good to know freeIPA can manage this. > > cheers > > josef > > On 21. 01. 20 23:28, Vinícius Ferrão via xCAT-user wrote: > ... > > Josef Dvoracek > Institute of Physics | Czech Academy of Sciences > cell: +420 608 563 558 | office: +420 266 052 669 | fzu phone nr. : 2669 > > > > ___ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user -- -- "The urgent need now is for a working-class politics that doesn’t love work." Cybergothic Acid Communism Now Sarah Jaffe / @sarahljaffe https://communemag.com/cybergothic-acid-communism-now/ ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] host based authentication
> I’m using FreeIPA too so the hostkeys are stored on LDAP, it's integrated. thanks for mentioning this. I was struggling to design simple AND secure hostkey deployment mechanism. Good to know freeIPA can manage this. cheers josef On 21. 01. 20 23:28, Vinícius Ferrão via xCAT-user wrote: ... Josef Dvoracek Institute of Physics | Czech Academy of Sciences cell: +420 608 563 558 | office: +420 266 052 669 | fzu phone nr. : 2669 ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] host based authentication
I have it working in place. The process is a little bit cumbersome but it’s woking. I’m using FreeIPA too so the hostkeys are stored on LDAP, it's integrated. The only issue that I’ve is that I needed to disable the remoteshell script from xCAT and use another one that we have created and unfortunately all the nodes shares the same hostkeys. I can describe exactly what we have done if you want, but it’s tied to FreeIPA. > On 21 Jan 2020, at 17:51, Imam Toufique wrote: > > Hi, > > Quick question, before I jump in finding my own solution. > > Is there anything in xcat that would allow setting up host based > authentication? I know root can ssh from the mgmt. node to all the nodes in > the cluster. I am referring to user authentication , based on > /etc/ssh/known_hosts file, where there is a list of hosts and their > respective keys. > > thanks. > ___ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
Re: [xcat-user] host based authentication
The known_hosts file has nothing to do with host-based authentication. It is used to verify the identity of the host when using SSH with standard user-based authentication. I believe you are thinking of rhosts? Generally speaking, using host-based authentication is highly discouraged for security reasons, but in an xCAT scenario it can make sense. ___ Kevin Keane | Systems Architect | University of San Diego ITS | kke...@sandiego.edu Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 | Text: 760-721-8339 *REMEMBER! **No one from IT at USD will ever ask to confirm or supply your password*. These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them! On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique wrote: > Hi, > > Quick question, before I jump in finding my own solution. > > Is there anything in xcat that would allow setting up host based > authentication? I know root can ssh from the mgmt. node to all the nodes > in the cluster. I am referring to user authentication , based on > /etc/ssh/known_hosts file, where there is a list of hosts and their > respective keys. > > thanks. > ___ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
[xcat-user] host based authentication
Hi, Quick question, before I jump in finding my own solution. Is there anything in xcat that would allow setting up host based authentication? I know root can ssh from the mgmt. node to all the nodes in the cluster. I am referring to user authentication , based on /etc/ssh/known_hosts file, where there is a list of hosts and their respective keys. thanks. ___ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user