[torqueusers] undelivered output of jobs
siegert at sfu.ca
Thu Jun 5 14:56:44 MDT 2008
On Thu, Jun 05, 2008 at 04:24:10PM -0400, Steve Young wrote:
> Each user running a job needs to have all the host keys for all the
> machines they will run on saved in their known_hosts file. This
> includes the name of the torque server.
No, you don't need to store the keys in the users' known_hosts files;
store them in the system wide /etc/ssh/ssh_known_hosts file instead.
However, there is one more issue we just ran into:
To enable passwordless ssh we use hostbased authentication. This is
fine as long as the torque server is not on a public network.
However, if the torque server is also your login server/head node
for the cluster, this makes me nervous. Unfortunately there
appears to be nothing in the sshd configuration that allows to
restrict hostbased access from a particular network only.
I can think of two solutions to this problem:
1) Run a second sshd on the torque server that listens on a
different port, e.g., 12345, and only that sshd is configured
to allow hostbased access. Port 12345 is blocked on the public
interface and torque is configured with RCP_ARGS="-P 12345 -rpB".
2) Use rcp instead of scp and access restrictions in /etc/xinetd.d/rsh
and/or /etc/hosts.allow. (afaik this solution does not work on
large clusters because rsh can run out of ports).
Head, Research Computing
WestGrid Site Lead
Client and Research Services phone: 778 782-4691
Simon Fraser University fax: 778 782-4242
Burnaby, British Columbia email: siegert at sfu.ca
Canada V5A 1S6
More information about the torqueusers