This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
cluster:157 [2017/03/29 13:52] hmeij07 |
cluster:157 [2017/04/06 19:31] (current) hmeij07 |
||
---|---|---|---|
Line 4: | Line 4: | ||
==== Centralize SSH Key Management ==== | ==== Centralize SSH Key Management ==== | ||
- | Lest assume we have 3 colleges (CollegeA, CollegeB, CollegeC) and we write a grant proposal and each institution will do something unique science wise. Grant gets funded and specialized hardware or software gets deployed at each college (for maybe brain scan analyses, deep learning, and engineering). | + | Lets assume we have 3 colleges (CollegeA, CollegeB, CollegeC) and we write a grant proposal and each institution will do something unique science wise. Grant gets funded and specialized hardware or software gets deployed at each college (for maybe brain scan analyses, deep learning, and engineering). |
The grant mentioned that all members of participating colleges can request access at any college. How would one do that without a mess developing? Nobody, not even admins, should have access to any user level passwords. Accounts should be able to be revoked. CPU usage should be accountable. In short, some sort of " | The grant mentioned that all members of participating colleges can request access at any college. How would one do that without a mess developing? Nobody, not even admins, should have access to any user level passwords. Accounts should be able to be revoked. CPU usage should be accountable. In short, some sort of " | ||
Line 15: | Line 15: | ||
** SSH public key authentication** | ** SSH public key authentication** | ||
- | [need a way to collect key files, push them out, and manage passwd/ | + | On a selected collge, behind the firewall, set up a management server. |
- | + | ||
- | In the ''/ | + | |
* '' | * '' | ||
- | For this example, the /etc, /etc/ssh, and / | + | For this example, the /etc, /etc/ssh, and / |
< | < | ||
- | # ls -ld /etc /etc/ssh / | ||
| | ||
| | ||
| | ||
- | -rwxr-xr-x 2 root root 1024 Mar 29 11:01 / | + | -r--r--r-- 2 root root 1024 Mar 29 11:01 / |
</ | </ | ||
- | The sshd service interprets | + | We need to collect all '' |
+ | |||
+ | Workflow | ||
+ | * User hmeij of CollegeA (Wesleyan) requests access to College[B|C], | ||
+ | * Script does the following steps, figures out next UID/GID, referer ip yields prefix | ||
+ | * echo " | ||
+ | * useradd -u 15001 -g 15001 weshmeij | ||
+ | * echo `date | md5sum | awk ' | ||
+ | * su - weshmeij -c "ssh-keygen -b 2048 -t rsa -f /home/ | ||
+ | * mv / | ||
+ | * chown root:root / | ||
+ | * cat / | ||
+ | * CollegeA user hmeij saves private key to $HOME/ | ||
+ | * script finishes; rm -f / | ||
+ | * that night college[A|B|C] root retrieves all lines in the range 15001-30000 | ||
+ | * makes home dirs if they do not exist (parse lines build useradd, or via pam.d/ | ||
+ | * download public keys, updates in / | ||
+ | * replaces local passwd/ | ||
+ | * user hmeij@wes: ssh weshmeij@openhpc.lafayette.edu -i / | ||
- | Use a secure, automated method to distribute | + | That would work. Nobody knows the passwords for these guest accounts. |