SSH and NFS Help!!!! - SSH

This is a discussion on SSH and NFS Help!!!! - SSH ; Hi everyone, I've been trying to configure a passwordless ssh for a small Beowulf cluster however I'm running into a brick wall. What I'd like is to setup the system to use a single id_rsa and id_rsa.pub keypair, thus all ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: SSH and NFS Help!!!!

  1. SSH and NFS Help!!!!

    Hi everyone,

    I've been trying to configure a passwordless ssh for a small Beowulf
    cluster however I'm running into a brick wall. What I'd like is to
    setup the system to use a single id_rsa and id_rsa.pub keypair, thus
    all slave nodes can be loggon by the master node by user=amos.

    Machine1 -------> (Machine2,3,4..etc)

    **I've looked at a couple of tutorials and the man pages (these two
    seem to have different ways of doing the passwordless system)
    http://www.liniac.upenn.edu/sysadmin/os/ssh.html
    and
    http://www.csua.berkeley.edu/~ranga/...sh_nopass.html
    Any advice on which is best/works?

    Details of my system:
    1) All nodes NFS mount the head node user account /home/amos and
    therefore share the same ~/.ssh directory
    2) I'm using OpenSSH v.3.8
    3) The whole cluster is a standalone (I need ssh to run the java MPI
    wrapper MPJ) so I'm not too concerned about security!

    Problems:
    1) My take it I should create a new key (ssh-keygen -t rsa) for the
    server (slave), and then pass these keys to the client machine (Master)
    - but since all accounts mount the same home/amos/.ssh directory this
    isn't necessary.
    The main problem I've found is no matter what I do the system always
    reverts to the keys from "/etc/ssh/ssh_host_rsa_keys.pub" - even if I
    delete these files!! they just appear back.

    This is driving me banannas as I can't find out anywhere why the only
    clue I could gleam was ssh checks the new key against the last one it
    used to prevent man-in-the-middle attacks...(all greek to me).

    Apologies for the rather verbose post, but I'd really appreciate some
    help on this,

    Thanks in advance, Amos


  2. Re: SSH and NFS Help!!!!

    >>>>> "AF" == amosfolarin78 writes:

    AF> home/amos/.ssh directory this isn't necessary. The main problem
    AF> I've found is no matter what I do the system always reverts to the
    AF> keys from "/etc/ssh/ssh_host_rsa_keys.pub" - even if I delete
    AF> these files!! they just appear back.

    You are confused -- you should not touch these keys, as they have nothing
    to do with what you're trying to set up, client authentication. They are
    for server authentication.

    Before you spend more time on this, have you considered hostbased
    authentication? It seems a better fit.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: SSH and NFS Help!!!!

    wrote:
    >I've been trying to configure a passwordless ssh for a small Beowulf
    >cluster however I'm running into a brick wall. What I'd like is to
    >setup the system to use a single id_rsa and id_rsa.pub keypair, thus
    >all slave nodes can be loggon by the master node by user=amos.


    >Machine1 -------> (Machine2,3,4..etc)


    Ok, so machine1 needs an identity file whose public key in the
    authorized_keys of machine2-machineN. It may be easiest to just have ALL
    machines with the same identity and authorized_keys, so that any machine can
    login to any other.

    It's also worth looking at securing the keys with a passphrase and using
    ssh-agent to forward them around.

    >Details of my system:
    >1) All nodes NFS mount the head node user account /home/amos and
    >therefore share the same ~/.ssh directory


    Ok, then it's definitely easier to have all use the same identity and
    authorized_keys files. This also makes testing easy, as you can just test
    with "ssh -v localhost" to see what's going on.

    >1) My take it I should create a new key (ssh-keygen -t rsa) for the
    >server (slave), and then pass these keys to the client machine (Master)
    >- but since all accounts mount the same home/amos/.ssh directory this
    >isn't necessary.


    Yup, you can "pass" the key just by putting it in identity and
    authorized_keys, nfs will distribute it for you.

    >The main problem I've found is no matter what I do the system always
    >reverts to the keys from "/etc/ssh/ssh_host_rsa_keys.pub" - even if I
    >delete these files!! they just appear back.


    Those have nothing to do with user authentication, they're for server
    authentication to the client.

    >This is driving me banannas as I can't find out anywhere why the only
    >clue I could gleam was ssh checks the new key against the last one it
    >used to prevent man-in-the-middle attacks...(all greek to me).


    You'll get a warning when the server key changes from last time you connected,
    to help detect the situation where someone redirects your network connection
    to an impostor server. But this has nothing to do with your user's keys or
    authentication.
    --
    Mark Rafn dagon@dagon.net

  4. Re: SSH and NFS Help!!!!

    RS>Before you spend more time on this, have you considered hostbased

    RS>authentication? It seems a better fit.
    I will try it instead ( there is a tutorial here
    http://www.omega.telia.net/vici/openssh/ )

    Just as a point of curiosity (having already spent like a gazillion
    hours on this) - all the howtos seem
    to give a fairly consistent line wrt setting up a passwordless ssh
    along the lines of this - (in fact this was the advice given to me):

    0. "rm -r .ssh" directories on Machine Master and Machine 1
    1. Create keys "ssh-keygen -t rsa" on Machine Master (accept defaults,
    and
    don't enter passphrase)
    2. Create keys "ssh-keygen -t rsa" on Machine 1 (the lazy way to create
    ..ssh
    directory)
    3a. copy id_rsa.pub to authorized_keys2 (if authorized_keys2 doesn't
    exist
    create it ) file on Machine 1.
    3b. open up authorized_keys2 file in pico and make sure the public key
    is
    all one line long
    4. chmod 600 (or try 644) authorized_keys2 file.
    5. ssh in "ssh machine1@123.123.123.123"
    6. accept RSA fingerprint of machine 1, ---this is what should go into
    know_host(2) file

    Why-o-why when I try this does the "/etc/ssh/ssh_host_rsa_keys.pub"
    keep on being used??? I.e. after I ssh from
    [client -------> server] it is this key that is added to the
    "known_hosts" - not the new one I created
    Surely there must be some provision to replace a key with a new one
    (e.g. say the systems keys became compromised)?


  5. Re: SSH and NFS Help!!!!

    >>>>> "AF" == amosfolarin78 writes:

    RS> Before you spend more time on this, have you considered hostbased
    RS> authentication? It seems a better fit.

    AF> I will try it instead ( there is a tutorial here
    AF> http://www.omega.telia.net/vici/openssh/ )

    Also: http://www.snailbook.com/faq/trusted...owto.auto.html

    AF> Why-o-why when I try this does the
    AF> "/etc/ssh/ssh_host_rsa_keys.pub" keep on being used???

    This and the known_hosts files are part of server authentication, which
    has nothing to do with client authentication and happens on every
    connection and before client authentication.

    --
    Richard Silverman
    res@qoxp.net


  6. Re: SSH and NFS Help!!!!

    MR>Yup, you can "pass" the key just by putting it in identity and
    MR>authorized_keys, nfs will distribute it for you.

    When you say NFS will redistribute the "authorized_keys" file - do I
    need to put multiple copies of the same key into the "authorized_keys"
    file? I ask this because the keys have the hostname (on which the key
    was created) appended to the end of the "id_rsa.pub" key??


  7. Re: SSH and NFS Help!!!!

    On 2005-12-01, amosfolarin78@hotmail.com wrote:

    > When you say NFS will redistribute the "authorized_keys" file - do I
    > need to put multiple copies of the same key into the "authorized_keys"
    > file? I ask this because the keys have the hostname (on which the key
    > was created) appended to the end of the "id_rsa.pub" key??


    No - if this is the key format I think it is that's a comment.

    Of course NFS (if used insecurely - as usual) robs you of the
    security of SSH by allowing other people to add to your
    "authorized_keys" file.

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/
    Powergen write "Why not stay with us" - let me count the ways!

  8. Re: SSH and NFS Help!!!!


    "all mail refused" wrote in message
    news:slrndotra2.k3g.elvis-45187@notatla.org.uk...
    > On 2005-12-01, amosfolarin78@hotmail.com
    > wrote:
    >
    >> When you say NFS will redistribute the "authorized_keys" file - do I
    >> need to put multiple copies of the same key into the "authorized_keys"
    >> file? I ask this because the keys have the hostname (on which the key
    >> was created) appended to the end of the "id_rsa.pub" key??

    >
    > No - if this is the key format I think it is that's a comment.
    >
    > Of course NFS (if used insecurely - as usual) robs you of the
    > security of SSH by allowing other people to add to your
    > "authorized_keys" file.


    It's a problem. The bigger problem of NFS and other unsecured file-sharing
    systems is the ability to nab your private SSH keys from their default
    locations in ~/.ssh/.



+ Reply to Thread