Jarrod, thank you. If I understood correctly, remoteshell does the following:
* Copies the exactly same host key to all the nodes. So they share the same keys. * Enable SSH passwordless using RSA keys only available to root. That’s it? Regarding the next release, it will be do something similar but with Hostbased Authentication by default. Do you guys have any ETA for this updated version? Actually I’m trying to achieve HBA between the nodes, but I’m trying to find a use case for this instead of other methods: publickey authentication or SSO with Kerberos, since I’m already running a FreeIPA instance on the headnode. Sorry for asking a lot of questions but I was able to find anything related to remoteshell and it’s features on http://xcat-docs.readthedocs.io and I’m trying to put a lot of functionality with xCAT without breaking it. Thanks. On 8 Oct 2019, at 17:46, Jarrod Johnson <jjohns...@lenovo.com<mailto:jjohns...@lenovo.com>> wrote: You may remove it from postscripts tabedit postscripts You may remove remoteshell. Our team was actually going to provide a new 'secureshell' postscript as an alternative to supersede with a more sane security strategy, but if you have another strategy that takes care of the authentication, neither would be required. remoteshell tries to avoid perturbing known_hosts by persisting host key across install. Which is a tricky proposition. It also does some potentially undesirable changes to ssh/sshd configuration. For the lazy, it tends to still create a passwordless experience for root with mitigated known_hosts perturbance for all. secureshell is going to replace the key bootstrap with a more hardened mechanism, replace host key persistence with a managed SSH CA, and enable host-based authentication within a cluster if requested to enable non-root ssh enablement without per-user action. It would also allow enabling ssh between nodes as root without user key sharing (using .shosts with host authentication). This is intended as a more modern and manageable 'works regardless of other configuration' ssh bootstrap scheme. Neither should be required if you otherwise enable ssh to your likeing. ________________________________ From: Vinícius Ferrão via xCAT-user <xcat-user@lists.sourceforge.net<mailto:xcat-user@lists.sourceforge.net>> Sent: Tuesday, October 8, 2019 4:19 PM To: xCAT Users Mailing list Cc: Vinícius Ferrão Subject: [External] [xcat-user] What remoteshell exactly does? Hello, I’m trying to add some features to an xCAT HPC Cluster but I’m with some issues with SSH Host Keys. My clients are running ipa-client-install on bootime since I’ve already deployed an FreeIPA Server on the headnode and I want the nodes to authenticate on it. After some time trying to debug issues I’ve came across to this file. This file appears to copy some fixed host keys to compute images. But I’m not sure about it. The point is: what this script really do? Is it really necessary since it’s added by default by xCAT. Can it be replaced? Thanks, _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net<mailto:xCAT-user@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/xcat-user xcat-user List Signup and Options<https://lists.sourceforge.net/lists/listinfo/xcat-user> lists.sourceforge.net<http://lists.sourceforge.net/> An extreme cluster/cloud administration toolkit
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
