Open MPI logo

Open MPI User's Mailing List Archives

  |   Home   |   Support   |   FAQ   |   all Open MPI User's mailing list

Subject: Re: [OMPI users] password-less ssh
From: Reuti (reuti_at_[hidden])
Date: 2010-02-19 18:46:27


Hi,

Am 20.02.2010 um 00:11 schrieb Eugene Loh:

> Okay, yes, setting SSH_AUTH_SOCK is the right thing to do, but this
> strikes me as clumsy. I'm trying to understand how things should
> be set up so that I don't have to take special action each time I
> log in. Do I do some .login/.logout magic?
>
> Or, why not just go without a DSA passphrase? The passphrase only
> protects me from root, before whom I am rather powerless anyhow.

you mean, that root could use your ssh-key? When you are having an
agent running, root can hijack the created socket in /tmp. A good
explanation you can find here:

http://unixwiz.net/techtips/ssh-agent-forwarding.html

KDE and Gnome start the agent automatically, once you use ssh-add
(sometimes the graphical ssh-askpass is missing and must be
installed). I have somewhere a small script to recover a saved agent
configuration once it was started even for non-graphical based
sessions. I'll post it later.

But there is more to dicuss. Some even suggest to encrypt the ~/.ssh/
know_hosts file, so that noone would know where you used to log in
once he intruded your account. But most likely it's in the bash
history anyway, so there would be a HOSTIGNORE="ssh*:scp*" necessary
in bash. And as a next step, any convenient setting in ~/.ssh/config
can't be used to abbreviate the logins... But it's good to use
passphrase anyway, although it can be cracked locally by an attempt
to change it with `ssh-keygen -y` - no delay by failed login attempt,
so it could be really fast...

I also suggest to follow the complete thread starting with:

http://ftp.beowulf.org/archive/2009-September/026424.html

from

http://ftp.beowulf.org/archive/2009-September/thread.html

which ended in using hostbased authentication inside a cluster.

> Also, the OMPI FAQ says authorized_keys should have 644
> protection. Out on the web, it appears people advise 600, which
> doesn't make sense to me since it just has public keys in it
> anyhow. (My head is starting to spin.)

Correct, 644 is fine.

-- Reuti

> Kenneth Yoshimoto wrote:
>
>> After you start up ssh-agent once, check env for SSH_AUTH_SOCK
>>
>> If you start a new session and the old ssh-agent is still running,
>> try setting SSH_AUTH_SOCK.
>>
>> I think there are more refined utilities out there to handle this
>> situation...
>>
>> On Fri, 19 Feb 2010, Eugene Loh wrote:
>>
>>> Date: Fri, 19 Feb 2010 13:19:13 -0800
>>> From: Eugene Loh <Eugene.Loh_at_[hidden]>
>>> Reply-To: Open MPI Users <users_at_[hidden]>
>>> To: Open MPI Users <users_at_[hidden]>
>>> Subject: [OMPI users] password-less ssh
>>>
>>> This is with regards to http://www.open-mpi.org/faq/?
>>> category=rsh#ssh-keys
>>>
>>> It says to check if you have an ssh-agent running. How are you
>>> supposed to do that? I've tried "ps -u myusername | grep ssh-
>>> agent", but didn't know if that's the proper thing to do.
>>>
>>> Also, it appears that I do *NOT* have an ssh-agent running
>>> automatically for me. How often do I have to start one up? It
>>> appears that if I start one up and log out and then log back in
>>> again, the old ssh-agent is still there but not usable. I have
>>> to start up a new one. So, do I have to start an ssh-agent each
>>> time I log in?
>>>
>>> Or, I could use no DSA passphrase, but that seems to be frowned
>>> upon.
>>
>
> _______________________________________________
> users mailing list
> users_at_[hidden]
> http://www.open-mpi.org/mailman/listinfo.cgi/users