[torqueusers] undelivered output of jobs

Martin Siegert siegert at sfu.ca
Thu Jun 5 14:56:44 MDT 2008


On Thu, Jun 05, 2008 at 04:24:10PM -0400, Steve Young wrote:
> Each user running a job needs to have all the host keys for all the  
> machines they will run on saved in their known_hosts file.  This  
> includes the name of the torque server.

No, you don't need to store the keys in the users' known_hosts files;
store them in the system wide /etc/ssh/ssh_known_hosts file instead.

However, there is one more issue we just ran into:
To enable passwordless ssh we use hostbased authentication. This is
fine as long as the torque server is not on a public network.
However, if the torque server is also your login server/head node
for the cluster, this makes me nervous. Unfortunately there
appears to be nothing in the sshd configuration that allows to
restrict hostbased access from a particular network only.

I can think of two solutions to this problem:
1) Run a second sshd on the torque server that listens on a
   different port, e.g., 12345, and only that sshd is configured
   to allow hostbased access. Port 12345 is blocked on the public
   interface and torque is configured with RCP_ARGS="-P 12345 -rpB".
2) Use rcp instead of scp and access restrictions in /etc/xinetd.d/rsh
   and/or /etc/hosts.allow. (afaik this solution does not work on
   large clusters because rsh can run out of ports).

Anything else?

Cheers,
Martin

-- 
Martin Siegert
Head, Research Computing
WestGrid Site Lead
Client and Research Services               phone: 778 782-4691
Simon Fraser University                    fax:   778 782-4242
Burnaby, British Columbia                  email: siegert at sfu.ca
Canada  V5A 1S6


More information about the torqueusers mailing list