This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
cluster:157 [2017/03/29 09:38] hmeij07 [Centralize Key Management] |
cluster:157 [2017/04/06 14:35] hmeij07 |
||
---|---|---|---|
Line 4: | Line 4: | ||
==== Centralize SSH Key Management ==== | ==== Centralize SSH Key Management ==== | ||
- | Lest assume we have 3 colleges (CollegeA, CollegeB, CollegeC) and we write a grant proposal and each institution will do something unique science wise. Grant gets funded and specialized hardware or software gets deployed at each college (for maybe brain scan analyses, deep learning, and engineering). | + | Lets assume we have 3 colleges (CollegeA, CollegeB, CollegeC) and we write a grant proposal and each institution will do something unique science wise. Grant gets funded and specialized hardware or software gets deployed at each college (for maybe brain scan analyses, deep learning, and engineering). |
The grant mentioned that all members of participating colleges can request access at any college. How would one do that without a mess developing? Nobody, not even admins, should have access to any user level passwords. Accounts should be able to be revoked. CPU usage should be accountable. In short, some sort of " | The grant mentioned that all members of participating colleges can request access at any college. How would one do that without a mess developing? Nobody, not even admins, should have access to any user level passwords. Accounts should be able to be revoked. CPU usage should be accountable. In short, some sort of " | ||
Line 11: | Line 11: | ||
* http:// | * http:// | ||
- | I asked the OpenHPC community and got some great suggestions back. One involved using Kerberos without tickets and tying into Active | + | I asked the OpenHPC community and got some great suggestions back. One involved using Kerberos without tickets and tying into Active |
+ | ** SSH public key authentication** | ||
+ | |||
+ | On a selected collge, behind the firewall, set up a management server. In the ''/ | ||
+ | |||
+ | * '' | ||
+ | |||
+ | For this example, the /etc, /etc/ssh, and / | ||
+ | |||
+ | < | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | </ | ||
+ | |||
+ | We need to collect all '' | ||
+ | |||
+ | Workflow | ||
+ | * User hmeij of CollegeA (Wesleyan) requests access to College[B|C], | ||
+ | * Script does the following steps, figures out next UID/GID, referer ip yields prefix | ||
+ | * echo " | ||
+ | * useradd -u 15001 -g 15001 weshmeij | ||
+ | * echo `date | md5sum | awk ' | ||
+ | * su - weshmeij -c " | ||
+ | * mv / | ||
+ | * chown root:root / | ||
+ | * cat / | ||
+ | * CollegeA user hmeij saves private key to $HOME/ | ||
+ | * script finishes; rm -f / | ||
+ | |||
+ | Hmm, this requires that at CollegeA user hmeij can switch to weshmeij credentials before connecting to CollegeB (echo "$unm $localhost=/ | ||
+ | |||
+ | Ahh, since | ||
**Kerberos & AD** | **Kerberos & AD** | ||
Line 18: | Line 53: | ||
< | < | ||
- | 1. install pam by run commands "yum install pam", "yum install pam_krb5", | + | 1. install pam by run commands "yum install pam", "yum install pam_krb5", |
+ | The last package is needed on a log-in node, it's not required on compute nodes. | ||
2. Modify / | 2. Modify / | ||
- | (Note for historical reasons we use both upper case and lower case for our kerberos domains. Both resolkve | + | (Note for historical reasons we use both upper case and lower case for our kerberos domains. |
+ | Both resolve | ||
Line 95: | Line 132: | ||
| | ||
| | ||
- | 8. Modify / | + | 8. Modify / |
+ | making any changes needed to fit this into your setup. | ||
Line 153: | Line 191: | ||
| | ||
| | ||
- | | + | |
+ | |||
+ | (optional, if the difference of the system time to the ntp server time is too long, | ||
+ | this command can synchronize the system time to the ntp server) | ||
- | 10. If all the above steps are done but it still doesn' | + | 10. If all the above steps are done but it still doesn' |
+ | or all of the following | ||
- | | + | |
+ | run " | ||
+ | " | ||
+ | modify / | ||
+ | and run " | ||
</ | </ |