Gladly! User based security means that you need to enter a user password
or something similar like kerberos keys or SSH keys to authenticate with
a different hosts. In every place I've worked, passwordless ssh keys
were forbidden, so even if using SSH keys, that ssh key would need to be
unlocked with with the password the first time it's used. In this
scenario, if a user account is compromised on one system, the damage is
limited to that system.
With host-based security, all the hosts in the trusted group allow users
to go from one machine to the other without using a password. In this
case, if a user account is compromised on one system, then that user
account now compromised on *every* system in the trusted group.
Does that make sense?
There's a reason why host-based authentication is not the default
behavior in SSH.
Prentice
On 6/9/20 3:34 PM, Ole Holm Nielsen wrote:
Hi Prentice,
Could you kindly elaborate on this statement? Is host-based security
safe inside a compute cluster compared to user-based SSH keys?
Thanks,
Ole
On 09-06-2020 21:26, Prentice Bisbal wrote:
Host-based security is not considered as safe as user-based security,
so should only be used in special cases.
On 6/9/20 11:45 AM, Michael Jennings wrote:
On Tuesday, 09 June 2020, at 12:43:34 (+0200),
Ole Holm Nielsen wrote:
in which case you need to set up SSH authorized_keys files for such
users.
I'll admit that I didn't know about this until I came to LANL, but
there's actually a much better alternative than having to create user
key pairs and manage users' ~/.ssh/authorized_keys files: Host-based
Authentication.
Setting "HostbasedAuthentication yes" and configuring it properly on
all the cluster hosts allows a cryptographically-secured equivalent of
what used to be known as RHosts-style Authentication using ~/.rhosts
and /etc/hosts.equiv. Essentially, it allows host-key-authenticated
systems to recognize each other, and once that completes successfully,
the target host trusts the source host to accurately introduce the
user who's logging in.
Once you have host-based authentication working, users can SSH around
inside your cluster seamlessly (subject to additional restrictions, of
course, like access.conf or pam_slurm_adopt) without needing hackish
extra utilities to create and manage cluster-specific passphraseless
key pairs for every single user! :-)
There's a great cookbook online that tells you step-by-step how to set
it up:
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication
--
Prentice Bisbal
Lead Software Engineer
Research Computing
Princeton Plasma Physics Laboratory
http://www.pppl.gov
