rlogin on a Beowulf

[Armitage]

So I haven't had an opportunity to work on our cluster for several months. It turns out that our admin guy has been busy in that time :disgust: He appears to have turned of 'r' services ... rlogin, and more importantly rsh, between the server and the nodes :Q

Now, I'm sure there are ways to make my stuff work via ssh, but it'll likely mean alot of rework for me, plus some CPU overhead for the encryption. Although, I suspect the actual data flow over PVM won't be encrypted, just the permissions to kick off the remote job via the ssh equiv of rsh.

The nodes are only accesible from the server ... seperate network. And there is absolutely nothing of value on the nodes ... just the OS install and NFS mounts of the server volumes. Can anybody see any point to locking them down like this?

And here's the real kicker ... I can still get on the server remotely by rlogin!?! :roll: I always use ssh to actually login to the server, but tried rlogin when I found this.

 

[n0cmonkey]

What's the issue exactly? I'm practically braindead today.

 

[Armitage]

Originally posted by: n0cmonkey
What's the issue exactly? I'm practically braindead today.

Cliff's note's for n0cmonkey

Is there any point to turning off rlogin services to the nodes of a beowulf cluster?

Other then pissing off Armitage of course, which seems to be a popular pastime around here lately :disgust::laugh:

 

[n0cmonkey]

Originally posted by: Armitage

Originally posted by: n0cmonkey
What's the issue exactly? I'm practically braindead today.

Cliff's note's for n0cmonkey

Is there any point to turning off rlogin services to the nodes of a beowulf cluster?

Other then pissing off Armitage of course, which seems to be a popular pastime around here lately :disgust::laugh:

Thanks. I did read the whole thing, multiple times in fact. I just couldn't find the point.

Security is best in layers. The r services have been obsolete for a long time, and the overhead of SSH shouldn't be too bad. Plus there are several other security enhancements in OpenSSH that are not available on any r service I'm aware of (besides the encryption and authentication ).

IIRC, the biggest hit in SSH comes from the authentication computations. With SSH multiplexing (available in atleast the latest version of OpenSSH), that isn't necessary as often.

 

[Armitage]

Originally posted by: n0cmonkey

Originally posted by: Armitage

Originally posted by: n0cmonkey
What's the issue exactly? I'm practically braindead today.

Cliff's note's for n0cmonkey

Is there any point to turning off rlogin services to the nodes of a beowulf cluster?

Other then pissing off Armitage of course, which seems to be a popular pastime around here lately :disgust::laugh:

Thanks. I did read the whole thing, multiple times in fact. I just couldn't find the point.

Security is best in layers. The r services have been obsolete for a long time, and the overhead of SSH shouldn't be too bad. Plus there are several other security enhancements in OpenSSH that are not available on any r service I'm aware of (besides the encryption and authentication ).

IIRC, the biggest hit in SSH comes from the authentication computations. With SSH multiplexing (available in atleast the latest version of OpenSSH), that isn't necessary as often.

But there is nothing to protect here? To get at the nodes, you have to already be on the server. If you're already on the server, you've got everything anyway, no need to mess around with the nodes.

And the server IS running r services ... it's kinda like leaving the front door of your house open, but deadbolting all the empty closets?!?

I guess I'm just annoyed because I'm working on this project on my own time, and now I've got to figure out how to make PVM & such work over SSH :|

 

[n0cmonkey]

Originally posted by: Armitage

Originally posted by: n0cmonkey

Originally posted by: Armitage

Originally posted by: n0cmonkey
What's the issue exactly? I'm practically braindead today.

Cliff's note's for n0cmonkey

Is there any point to turning off rlogin services to the nodes of a beowulf cluster?

Other then pissing off Armitage of course, which seems to be a popular pastime around here lately :disgust::laugh:

Thanks. I did read the whole thing, multiple times in fact. I just couldn't find the point.

Security is best in layers. The r services have been obsolete for a long time, and the overhead of SSH shouldn't be too bad. Plus there are several other security enhancements in OpenSSH that are not available on any r service I'm aware of (besides the encryption and authentication ).

IIRC, the biggest hit in SSH comes from the authentication computations. With SSH multiplexing (available in atleast the latest version of OpenSSH), that isn't necessary as often.

But there is nothing to protect here? To get at the nodes, you have to already be on the server. If you're already on the server, you've got everything anyway, no need to mess around with the nodes.

And the server IS running r services ... it's kinda like leaving the front door of your house open, but deadbolting all the empty closets?!?

I guess I'm just annoyed because I'm working on this project on my own time, and now I've got to figure out how to make PVM & such work over SSH :|

Yeah, that doesn't make much sense.

SSH is a replacement for rsh (not telnet, as most people think ). It shouldn't be tough to do, especially with key authentication instead of password auth.

Or just tell the admin to turn the r services back on.

 

[Armitage]

Originally posted by: n0cmonkey

Or just tell the admin to turn the r services back on.

Turns out PVM is gone completely also, and, of course, he's off until the week after thanksgiving :disgust:

I have it almost working with a local install of PVM & public key authentication. What's a few extra hours, right?

 

[Armitage]

FWIW, r services got turned back on ... run time roughly cut in half. Crunching out 17,000 SSH authentications leaves a bit of a mark.

 

[n0cmonkey]

Originally posted by: Armitage
FWIW, r services got turned back on ... run time roughly cut in half. Crunching out 17,000 SSH authentications leaves a bit of a mark.

SSH multiplexing would help with that.

 

[Armitage]

Originally posted by: n0cmonkey

Originally posted by: Armitage
FWIW, r services got turned back on ... run time roughly cut in half. Crunching out 17,000 SSH authentications leaves a bit of a mark.

SSH multiplexing would help with that.

Turning it off helped more
But out of curiosity, what is SSH multiplexing? A quick google didn't seem to turn up anything useful on the first page or so.